Tuesday, December 6, 2011

Site To Site VPNs Using IPSEC - Different Variations








IPSEC LAN TO LAN VPN USING CRYPTOMAP (With host to host routing configured)
***************************************************************************


R1
===


!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
 lifetime 3600
 hash sha
!
crypto isakmp key cisco address 23.23.23.3
!
crypto ipsec transform-set PHASE2 esp-3des esp-sha-hmac
!
access-list 100 permit ip 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
crypto map CRYPTOMAP 10 ipsec-isakmp
 set peer 23.23.23.3
 set transform-set PHASE2
 match address 100
!
!
interface FastEthernet0/0
 crypto map CRYPTOMAP
!




=========================


R3
===


!
crypto isakmp policy 10
 enc aes
 hash sha
 gr 5
 life 3600
 authen pre
 exit
!
crypto isakmp key cisco address 12.12.12.1
!
crypto ipsec transform-set PHASE2 esp-3des esp-sha-hmac
!
access-l 100 per ip 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
crypto map CRYPTOMAP 10 ipsec-isakmp
 set peer 12.12.12.1
 set transform PHASE2
 match add 100
!
int f0/0
 crypto map CRYPTOMAP
!
==========================
###########################################################


IPSEC OVER GRE ( With No host to host routing )
****************************************


R1
===


!
router ospf 1
 no network 14.14.14.1 0.0.0.0 area 0
!
interface Tunnel0
 ip address 13.13.13.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 23.23.23.3
!
router eigrp 1
 no au
 net 14.14.14.1 0.0.0.0
 net 13.13.13.1 0.0.0.0
!
no access-list 100 permit ip 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
access-list 100 permit gre 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
no access-list 100 permit gre 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
access-list 100 permit gre ho 12.12.12.1 ho 23.23.23.3 
!


R3
===


!
router ospf 1
 no network 35.35.35.3 0.0.0.0 area 0
!
interface Tunnel0
 ip address 13.13.13.3 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 12.12.12.1
!
router eigrp 1
 no au
 net 35.35.35.3 0.0.0.0
 net 13.13.13.3 0.0.0.0
!
no access-list 100 permit ip 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
access-list 100 permit gre 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.25
!
no access-list 100 permit gre 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
access-list 100 permit gre ho 23.23.23.3 ho 12.12.12.1
!
=========================================================================
#############################################################################


IPSEC LAN TO LAN Using IPSEC Profile (No host to host routing)
*****************************************************


R1
==
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set PHASE2
!
int f0/0
 no crypto map CRYPTOMAP
!
int tu0
 tunnel protection ipsec profile IPSEC-PROFILE
!




R3
==


!
crypto ipsec profile IPSEC-PROFILE
 set transform-set PHASE2
!
int f0/0
 no crypto map CRYPTOMAP
!
int tu0
 tunnel protection ipsec profile IPSEC-PROFILE
!


=========================================================================
#########################################################################


IPSEC LAN TO LAN Using Static VTI (No host to host routing)
**************************************************




R1
==


!
int tu0
 tunnel mode ipsec ipv4
!
no access-list 100 permit gre host 12.12.12.1 host 23.23.23.3
!






R3
==


!
int tu0
 tunnel mode ipsec ipv4
!
no access-list 100 permit gre host 23.23.23.3 host 12.12.12.1
!
=========================================================================


HTH...
Deepak Arora
Evil CCIE

3 comments:

Praveen said...

Deepak friend nice explanation but lab ip schema is bit fussy as you diagram and config is diff pls a small request put one more diagram with ip address you use in you config so we know what is peer ip address and what is tunnel ip address

A Network Artist said...

Pls read 13.13.13.x/24 as 23.23.23.x/24. Rest Is Fine.

Anonymous said...

Hi Deepak,

Can you just post how I can verify if tunnel is running good and up..and if not what can be possibilities and possible fix..

thanks!