IPSEC LAN TO LAN VPN USING CRYPTOMAP (With host to host routing configured)
***************************************************************************
R1
===
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 3600
hash sha
!
crypto isakmp key cisco address 23.23.23.3
!
crypto ipsec transform-set PHASE2 esp-3des esp-sha-hmac
!
access-list 100 permit ip 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 23.23.23.3
set transform-set PHASE2
match address 100
!
!
interface FastEthernet0/0
crypto map CRYPTOMAP
!
=========================
R3
===
!
crypto isakmp policy 10
enc aes
hash sha
gr 5
life 3600
authen pre
exit
!
crypto isakmp key cisco address 12.12.12.1
!
crypto ipsec transform-set PHASE2 esp-3des esp-sha-hmac
!
access-l 100 per ip 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 12.12.12.1
set transform PHASE2
match add 100
!
int f0/0
crypto map CRYPTOMAP
!
==========================
###########################################################
IPSEC OVER GRE ( With No host to host routing )
****************************************
R1
===
!
router ospf 1
no network 14.14.14.1 0.0.0.0 area 0
!
interface Tunnel0
ip address 13.13.13.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 23.23.23.3
!
router eigrp 1
no au
net 14.14.14.1 0.0.0.0
net 13.13.13.1 0.0.0.0
!
no access-list 100 permit ip 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
access-list 100 permit gre 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
no access-list 100 permit gre 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
access-list 100 permit gre ho 12.12.12.1 ho 23.23.23.3
!
R3
===
!
router ospf 1
no network 35.35.35.3 0.0.0.0 area 0
!
interface Tunnel0
ip address 13.13.13.3 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 12.12.12.1
!
router eigrp 1
no au
net 35.35.35.3 0.0.0.0
net 13.13.13.3 0.0.0.0
!
no access-list 100 permit ip 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
access-list 100 permit gre 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.25
!
no access-list 100 permit gre 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
access-list 100 permit gre ho 23.23.23.3 ho 12.12.12.1
!
=========================================================================
#############################################################################
IPSEC LAN TO LAN Using IPSEC Profile (No host to host routing)
*****************************************************
R1
==
!
crypto ipsec profile IPSEC-PROFILE
set transform-set PHASE2
!
int f0/0
no crypto map CRYPTOMAP
!
int tu0
tunnel protection ipsec profile IPSEC-PROFILE
!
R3
==
!
crypto ipsec profile IPSEC-PROFILE
set transform-set PHASE2
!
int f0/0
no crypto map CRYPTOMAP
!
int tu0
tunnel protection ipsec profile IPSEC-PROFILE
!
=========================================================================
#########################################################################
IPSEC LAN TO LAN Using Static VTI (No host to host routing)
**************************************************
R1
==
!
int tu0
tunnel mode ipsec ipv4
!
no access-list 100 permit gre host 12.12.12.1 host 23.23.23.3
!
R3
==
!
int tu0
tunnel mode ipsec ipv4
!
no access-list 100 permit gre host 23.23.23.3 host 12.12.12.1
!
=========================================================================
HTH...
Deepak Arora
Evil CCIE
3 comments:
Deepak friend nice explanation but lab ip schema is bit fussy as you diagram and config is diff pls a small request put one more diagram with ip address you use in you config so we know what is peer ip address and what is tunnel ip address
Pls read 13.13.13.x/24 as 23.23.23.x/24. Rest Is Fine.
Hi Deepak,
Can you just post how I can verify if tunnel is running good and up..and if not what can be possibilities and possible fix..
thanks!
Post a Comment