network – cisco router – gre ipsec vpn

Topology – using GNS3

R1
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key MyExploit address 192.168.3.2
!
crypto ipsec transform-set my-tran esp-aes 256 esp-sha-hmac
!
crypto map my-map 1 ipsec-isakmp
description tunnel-to-192.168.3.2
set peer 192.168.3.2
set transform-set my-tran
match address 100
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.192.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 192.168.3.2
tunnel path-mtu-discovery
keepalive 0
crypto map my-map
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map my-map
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 10
network 1.0.0.0
network 192.168.192.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
access-list 100 permit gre host 192.168.1.1 host 192.168.3.2

———————————————

R4

!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key MyExploit address 192.168.1.1
!
crypto ipsec transform-set my-tran esp-aes 256 esp-sha-hmac
!
crypto map my-map 1 ipsec-isakmp
description tunnel-to-192.168.1.1
set peer 192.168.1.1
set transform-set my-tran
match address 100
!
interface Loopback4
ip address 4.4.4.4 255.255.255.255
!
interface Tunnel0
ip address 192.168.192.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 192.168.1.1
tunnel path-mtu-discovery
keepalive 0
crypto map my-map
!
interface FastEthernet0/0
ip address 192.168.3.2 255.255.255.0
duplex auto
speed auto
crypto map my-map
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 10
network 4.0.0.0
network 192.168.192.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.3.1
!
access-list 100 permit gre host 192.168.3.2 host 192.168.1.1

————————————————————

Testing

 

1. Ping

R1#ping 4.4.4.4 source 1.1.1.1 repeat 20

Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20), round-trip min/avg/max = 80/112/140 ms

2. Dynamic routing is working D = EIGRP

R1#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

C    192.168.192.0/24 is directly connected, Tunnel0
1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
4.0.0.0/32 is subnetted, 1 subnets
D       4.4.4.4 [90/297372416] via 192.168.192.1, 00:30:40, Tunnel0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 192.168.1.2

You should see a eigrp dynamic route over the tunnel as in D       4.4.4.4 [90/297372416] via 192.168.192.1, 00:30:40, Tunnel0

3. Checking encryption is working

R1#sh crypto ipsec sa

#pkts encaps: 500, #pkts encrypt: 500, #pkts digest: 500
#pkts decaps: 494, #pkts decrypt: 494, #pkts verify: 494

 

4. Checking phase one is working (isakmp)

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.3.2     192.168.1.1     QM_IDLE           1001    0 ACTIVE

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s