Please refer my previous posts from following links for further understanding the concepts..
Loopbacks Sourced IPSec VPN Configuration with Crypto Maps on Cisco IOS
IPSec Site-to-Site VPN Configuration with Crypto Maps on Cisco IOS
Configuring GRE Tunnels
Here, I am only discussing the new commands I enter to make this work.
Following image will give you a high level understanding of ho this works.
So as you can see, OSPF neighbor adjacency will be formed through the GRE tunnel (interface tunnel 0) and will exchange the user segments. Loopback interfaces will be the sources of the GRE tunnel and IPSec peer will be in between the Loopbacks. Finally as always the Crypto Maps will be applied to the physical interface.
Actual setup will be like the following..
Actual setup will be like the following..
Configuration of R1 will be like the following..
R1(config)#int t0
R1(config-if)#ip address 13.13.13.1 255.255.255.0
R1(config-if)#tunnel source loopback0
R1(config-if)#tunnel destination 3.3.3.3
R1(config-if)#ip ospf 1 area 0
R1(config)#int e0/1
R1(config-if)#ip ospf 1 area 0
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 60
R1(config-isakmp)#encryption aes
R1(config)#crypto isakmp key PASSWORD address 3.3.3.3
R1(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac
R1(config)#ip access-list extended 150
R1(config-ext-nacl)#permit gre host 1.1.1.1 host 3.3.3.3
R1(config-crypto-map)#crypto map CRYPTOMAP 10 ipsec-isakmp
R1(config-crypto-map)#match address 150
R1(config-crypto-map)#set transform-set TRANSFORMSET
R1(config-crypto-map)#set peer 3.3.3.3
R1(config)#crypto map CRYPTOMAP local-address Loopback0
R1(config-crypto-map)#int e0/0
R1(config-if)#crypto map CRYPTOMAP
R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
R1(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3
Configuration of R3 will be like the following..
R3(config)#int t0
R3(config-if)#ip address 13.13.13.3 255.255.255.0
R3(config-if)#tunnel source loopback0
R3(config-if)#tunnel destination 1.1.1.1
R3(config-if)#ip ospf 1 area 0
R3(config)#int e0/1
R3(config-if)#ip ospf 1 area 0
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 60
R3(config-isakmp)#encryption aes
R3(config)#crypto isakmp key PASSWORD address 1.1.1.1
R3(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac
R3(config)#ip access-list extended 150
R3(config-ext-nacl)#permit gre host 3.3.3.3 host 1.1.1.1
R3(config)#crypto map CRYPTOMAP 10 ipsec-isakmp
R3(config-crypto-map)#match address 150
R3(config-crypto-map)#set transform-set TRANSFORMSET
R3(config-crypto-map)#set peer 1.1.1.1
R3(config)#crypto map CRYPTOMAP local-address Loopback0
R3(config-crypto-map)#int e0/0
R3(config-if)#crypto map CRYPTOMAP
R3(config)#ip route 192.168.12.0 255.255.255.0 192.168.23.2
R3(config)#ip route 1.1.1.1 255.255.255.255 192.168.12.1
For this topology, we need to configure routing in R2 for the loopbacks because the packet has the source and destination IP addresses to match the peer IP addresses (loopbacks) of the tunnel.
Routing table of R1 will be like the following..
Following show commands verify the implementation..
R1(config)#int t0
R1(config-if)#ip address 13.13.13.1 255.255.255.0
R1(config-if)#tunnel source loopback0
R1(config-if)#tunnel destination 3.3.3.3
R1(config-if)#ip ospf 1 area 0
R1(config)#int e0/1
R1(config-if)#ip ospf 1 area 0
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 60
R1(config-isakmp)#encryption aes
R1(config)#crypto isakmp key PASSWORD address 3.3.3.3
R1(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac
R1(config)#ip access-list extended 150
R1(config-ext-nacl)#permit gre host 1.1.1.1 host 3.3.3.3
R1(config-crypto-map)#crypto map CRYPTOMAP 10 ipsec-isakmp
R1(config-crypto-map)#match address 150
R1(config-crypto-map)#set transform-set TRANSFORMSET
R1(config-crypto-map)#set peer 3.3.3.3
R1(config)#crypto map CRYPTOMAP local-address Loopback0
R1(config-crypto-map)#int e0/0
R1(config-if)#crypto map CRYPTOMAP
R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
R1(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3
Configuration of R3 will be like the following..
R3(config)#int t0
R3(config-if)#ip address 13.13.13.3 255.255.255.0
R3(config-if)#tunnel source loopback0
R3(config-if)#tunnel destination 1.1.1.1
R3(config-if)#ip ospf 1 area 0
R3(config)#int e0/1
R3(config-if)#ip ospf 1 area 0
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 60
R3(config-isakmp)#encryption aes
R3(config)#crypto isakmp key PASSWORD address 1.1.1.1
R3(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac
R3(config)#ip access-list extended 150
R3(config-ext-nacl)#permit gre host 3.3.3.3 host 1.1.1.1
R3(config)#crypto map CRYPTOMAP 10 ipsec-isakmp
R3(config-crypto-map)#match address 150
R3(config-crypto-map)#set transform-set TRANSFORMSET
R3(config-crypto-map)#set peer 1.1.1.1
R3(config)#crypto map CRYPTOMAP local-address Loopback0
R3(config-crypto-map)#int e0/0
R3(config-if)#crypto map CRYPTOMAP
R3(config)#ip route 192.168.12.0 255.255.255.0 192.168.23.2
R3(config)#ip route 1.1.1.1 255.255.255.255 192.168.12.1
For this topology, we need to configure routing in R2 for the loopbacks because the packet has the source and destination IP addresses to match the peer IP addresses (loopbacks) of the tunnel.
R2(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1
R2(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3
Routing table of R1 will be like the following..
Following show commands verify the implementation..
No comments:
Post a Comment