Tuesday, February 16, 2016
Friday, February 5, 2016
Example - How to configure Site-to-site VPN with IOS router
- Router 1 (Left):
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key CISCO address 10.10.20.3
!
!
crypto ipsec transform-set My-Set esp-aes 192 esp-sha-hmac
!
crypto map MyMap 10 ipsec-isakmp
set peer 10.10.20.3
set transform-set My-Set
match address R1_TO_R3
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
crypto map MyMap
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
!
router ospf 10
router-id 1.1.1.1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip access-list extended R1_TO_R3
permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
- Router 3 (Right):
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key CISCO address 10.10.10.1
!
!
crypto ipsec transform-set My-Set esp-aes 192 esp-sha-hmac
!
crypto map MyMap 10 ipsec-isakmp
set peer 10.10.10.1
set transform-set My-Set
match address R3_TO_R1
!
interface FastEthernet0/0
ip address 172.16.3.3 255.255.255.0
!
interface FastEthernet0/1
ip address 10.10.20.3 255.255.255.0
crypto map MyMap
!
router ospf 10
router-id 3.3.3.3
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip access-list extended R3_TO_R1
permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
- Validation:
Router3#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: MyMap, local addr 10.10.20.3
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer 10.10.10.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3242, #pkts encrypt: 3242, #pkts digest: 3242
#pkts decaps: 3242, #pkts decrypt: 3242, #pkts verify: 3242
#pkts compressed: 0, #pkts decompressed: 0
Router3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.10.10.1 10.10.20.3 QM_IDLE 1002 0 ACTIVE
Subscribe to:
Posts (Atom)