IPSec over Static Virtual Tunnel Interface on Cisco IOS
Loopbacks Sourced IPSec VPN Configuration with Crypto Maps on Cisco IOS
IPSec Site-to-Site VPN Configuration with Crypto Maps on Cisco IOS
Configuring GRE Tunnels
IPSec Site-to-Site VPN Configuration with Crypto Maps on Cisco IOS
Configuring GRE Tunnels
Topology looks like the following..
Provider network is marked in blue. Set up has 3 routers which are connected over the internet. They represent 3 sites and 3 PCs are here to test connectivity. I hope the IP addressing scheme is clear for anyone as it is in the diagram. SP router has the 2nd IP of the point to point links and default routes are statically configured to that IP from R1, R2 & R3.
Let's continue with the configuration..
Following are the steps.
1. Define the Key Ring
2. Create IKE Phase 1 Policy
3. Create IKE Phase 2 Policy
4. Create IPSec Profile
5. Create Virtual Template
6. Create ISAKMP Profile
7. Configure Dynamic Routing Protocol
Let's take R1 as the Hub,
1. Define the Key Ring
For this setup, I am going to use a key ring which has a unique key for each peer.
R1(config)#crypto keyring KEY_RING
R1(conf-keyring)#pre-shared-key address 26.68.13.1 key R1R2
R1(conf-keyring)#pre-shared-key address 32.18.32.1 key R1R3
2. Create IKE Phase 1 Policy
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 5
R1(config-isakmp)#authentication pre-share
3. Create IKE Phase 2 policy
R1(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel
4. Create IPSec Profile
This is a replacement for the crypto map and used for tunnel interfaces.
R1(config)#crypto ipsec profile IPSEC_PROFILE
R1(ipsec-profile)#set transform-set TSET
5. Create the Virtual Template
Virtual template is something we create for interface related configuration. This information is copied to create the virtual access interface per tunnel. IP address is copied from the loopback interface.
R1(config)#interface virtual-template 1 type tunnel
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#ip unnumbered loopback 0
R1(config-if)#tunnel protection ipsec profile IPSEC_PROFILE
6. Create the ISAKMP Profile
This is where we define the key ring, the remote peers and the virtual template.
R1(config)#crypto isakmp profile ISAKMP_PROFILE
R1(conf-isa-prof)#match identity address 26.68.13.1
R1(conf-isa-prof)#match identity address 32.18.32.1
R1(conf-isa-prof)#keyring KEY_RING
R1(conf-isa-prof)#virtual-template 1
7. Configure Dynamic Routing Protocol
This is needed to reach the networks where the hosts are.
R1(config)#router ospf 1
R1(config-router)#network 1.1.1.1 0.0.0.0 area 0
R1(config-router)#network 192.168.1.0 0.0.0.255 area 0
Other routers (Spokes) do not require DVTIs (Dynamic Virtual Tunnel Interface) to be configured. Only Static VTI is enough.
So R2's configuration will be like the following..
crypto isakmp key R1R2 address 13.18.12.1
crypto isakmp policy 1
encryption aes
hash sha
group 5
authentication pre-share
crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile IPSEC_PROFILE
set transform-set TRANSFORM_SET
interface Tunnel 0
ip unnumbered loopback 0
tunnel source e0/0
tunnel destination 13.18.12.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
router ospf 1
network 2.2.2.2 0.0.0.0 area 0
network 192.168.2.0 0.0.0.255 area 0
R3's configuration will be like the following..
crypto isakmp key R1R3 address 13.18.12.1
crypto isakmp policy 1
encryption aes
hash sha
group 5
authentication pre-share
crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile IPSEC_PROFILE
set transform-set TRANSFORM_SET
interface Tunnel 0
ip unnumbered loopback 0
tunnel source e0/0
tunnel destination 13.18.12.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
router ospf 1
network 3.3.3.3 0.0.0.0 area 0
network 192.168.3.0 0.0.0.255 area 0
Following show commands will verify the work..
Note that virtual template interface is down and virtual access interfaces are up. This is the normal behavior.
As you can see on the above outputs, OSPF neighbor is formed through the virtual access interfaces.
I think the multicast hello is encapsulated and sent through the tunnel and that is how the OSPF neighbor relationship is formed in the 1st place..
A ping and a traceroute to PC3 from PC1 will like the following..
No comments:
Post a Comment