Wednesday, December 28, 2011
Tuesday, December 20, 2011
How Well Do You Understand Traceroute
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
BTW... Traceroute is a application not an protocol in itself :-)
HTH...
Deepak Arora
Evil CCIEThursday, December 8, 2011
DMVPN For Dummies - Phase 1 & 2 (Phase 3 Added Too Now)
R1(HUB)
=======
=======
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set TRANSFORMSET esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile CRYPTOPROFILE
set transform-set TRANSFORMSET
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 99
no ip split-horizon eigrp 1
ip tcp adjust-mss 1360
tunnel source f0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CRYPTOPROFILE
no ip next-hop-self eigrp 1 < To Be Removed If Using Phase 3 Configuration
ip nhrp redirect!
router eigrp 1
network 10.0.0.1 0.0.0.0
network 1.1.1.1 0.0.0.0
no au
end
!
##################################################################
R2(SPOKE 1)
===========
===========
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set TRANSFORMSET esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile CRYPTOPROFILE
set transform-set TRANSFORMSET
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map 10.0.0.1 123.0.0.1
ip nhrp map multicast 123.0.0.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
ip tcp adjust-mss 1360
tunnel source f0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CRYPTOPROFILE
ip nhrp redirectip nhrp shortcut
!
router eigrp 1
network 10.0.0.2 0.0.0.0
network 2.2.2.2 0.0.0.0
no au
end
!
##################################################################
R3(SPOKE 2)
===========
===========
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set TRANSFORMSET esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile CRYPTOPROFILE
set transform-set TRANSFORMSET
!
interface Tunnel0
ip address 10.0.0.3 255.255.255.0
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map 10.0.0.1 123.0.0.1
ip nhrp map multicast 123.0.0.1
ip nhrp network-id 99
ip nhrp nhs 10.0.0.1
ip tcp adjust-mss 1360
tunnel source f0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CRYPTOPROFILE
ip nhrp redirect
ip nhrp shortcut!
router eigrp 1
network 10.0.0.3 0.0.0.0
network 3.3.3.3 0.0.0.0
no au
end
!
More Details :
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html
HTH...
Deepak Arora
Evil CCIE
Tuesday, December 6, 2011
Site To Site VPNs Using IPSEC - Different Variations
IPSEC LAN TO LAN VPN USING CRYPTOMAP (With host to host routing configured)
***************************************************************************
R1
===
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 3600
hash sha
!
crypto isakmp key cisco address 23.23.23.3
!
crypto ipsec transform-set PHASE2 esp-3des esp-sha-hmac
!
access-list 100 permit ip 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 23.23.23.3
set transform-set PHASE2
match address 100
!
!
interface FastEthernet0/0
crypto map CRYPTOMAP
!
=========================
R3
===
!
crypto isakmp policy 10
enc aes
hash sha
gr 5
life 3600
authen pre
exit
!
crypto isakmp key cisco address 12.12.12.1
!
crypto ipsec transform-set PHASE2 esp-3des esp-sha-hmac
!
access-l 100 per ip 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 12.12.12.1
set transform PHASE2
match add 100
!
int f0/0
crypto map CRYPTOMAP
!
==========================
###########################################################
IPSEC OVER GRE ( With No host to host routing )
****************************************
R1
===
!
router ospf 1
no network 14.14.14.1 0.0.0.0 area 0
!
interface Tunnel0
ip address 13.13.13.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 23.23.23.3
!
router eigrp 1
no au
net 14.14.14.1 0.0.0.0
net 13.13.13.1 0.0.0.0
!
no access-list 100 permit ip 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
access-list 100 permit gre 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
no access-list 100 permit gre 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
access-list 100 permit gre ho 12.12.12.1 ho 23.23.23.3
!
R3
===
!
router ospf 1
no network 35.35.35.3 0.0.0.0 area 0
!
interface Tunnel0
ip address 13.13.13.3 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 12.12.12.1
!
router eigrp 1
no au
net 35.35.35.3 0.0.0.0
net 13.13.13.3 0.0.0.0
!
no access-list 100 permit ip 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
access-list 100 permit gre 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.25
!
no access-list 100 permit gre 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
access-list 100 permit gre ho 23.23.23.3 ho 12.12.12.1
!
=========================================================================
#############################################################################
IPSEC LAN TO LAN Using IPSEC Profile (No host to host routing)
*****************************************************
R1
==
!
crypto ipsec profile IPSEC-PROFILE
set transform-set PHASE2
!
int f0/0
no crypto map CRYPTOMAP
!
int tu0
tunnel protection ipsec profile IPSEC-PROFILE
!
R3
==
!
crypto ipsec profile IPSEC-PROFILE
set transform-set PHASE2
!
int f0/0
no crypto map CRYPTOMAP
!
int tu0
tunnel protection ipsec profile IPSEC-PROFILE
!
=========================================================================
#########################################################################
IPSEC LAN TO LAN Using Static VTI (No host to host routing)
**************************************************
R1
==
!
int tu0
tunnel mode ipsec ipv4
!
no access-list 100 permit gre host 12.12.12.1 host 23.23.23.3
!
R3
==
!
int tu0
tunnel mode ipsec ipv4
!
no access-list 100 permit gre host 23.23.23.3 host 12.12.12.1
!
=========================================================================
HTH...
Deepak Arora
Evil CCIE
Subscribe to:
Posts (Atom)