Tuesday, December 6, 2011

Site To Site VPNs Using IPSEC - Different Variations








IPSEC LAN TO LAN VPN USING CRYPTOMAP (With host to host routing configured)
***************************************************************************


R1
===


!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
 lifetime 3600
 hash sha
!
crypto isakmp key cisco address 23.23.23.3
!
crypto ipsec transform-set PHASE2 esp-3des esp-sha-hmac
!
access-list 100 permit ip 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
crypto map CRYPTOMAP 10 ipsec-isakmp
 set peer 23.23.23.3
 set transform-set PHASE2
 match address 100
!
!
interface FastEthernet0/0
 crypto map CRYPTOMAP
!




=========================


R3
===


!
crypto isakmp policy 10
 enc aes
 hash sha
 gr 5
 life 3600
 authen pre
 exit
!
crypto isakmp key cisco address 12.12.12.1
!
crypto ipsec transform-set PHASE2 esp-3des esp-sha-hmac
!
access-l 100 per ip 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
crypto map CRYPTOMAP 10 ipsec-isakmp
 set peer 12.12.12.1
 set transform PHASE2
 match add 100
!
int f0/0
 crypto map CRYPTOMAP
!
==========================
###########################################################


IPSEC OVER GRE ( With No host to host routing )
****************************************


R1
===


!
router ospf 1
 no network 14.14.14.1 0.0.0.0 area 0
!
interface Tunnel0
 ip address 13.13.13.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 23.23.23.3
!
router eigrp 1
 no au
 net 14.14.14.1 0.0.0.0
 net 13.13.13.1 0.0.0.0
!
no access-list 100 permit ip 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
access-list 100 permit gre 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
no access-list 100 permit gre 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
access-list 100 permit gre ho 12.12.12.1 ho 23.23.23.3 
!


R3
===


!
router ospf 1
 no network 35.35.35.3 0.0.0.0 area 0
!
interface Tunnel0
 ip address 13.13.13.3 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 12.12.12.1
!
router eigrp 1
 no au
 net 35.35.35.3 0.0.0.0
 net 13.13.13.3 0.0.0.0
!
no access-list 100 permit ip 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
access-list 100 permit gre 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.25
!
no access-list 100 permit gre 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
access-list 100 permit gre ho 23.23.23.3 ho 12.12.12.1
!
=========================================================================
#############################################################################


IPSEC LAN TO LAN Using IPSEC Profile (No host to host routing)
*****************************************************


R1
==
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set PHASE2
!
int f0/0
 no crypto map CRYPTOMAP
!
int tu0
 tunnel protection ipsec profile IPSEC-PROFILE
!




R3
==


!
crypto ipsec profile IPSEC-PROFILE
 set transform-set PHASE2
!
int f0/0
 no crypto map CRYPTOMAP
!
int tu0
 tunnel protection ipsec profile IPSEC-PROFILE
!


=========================================================================
#########################################################################


IPSEC LAN TO LAN Using Static VTI (No host to host routing)
**************************************************




R1
==


!
int tu0
 tunnel mode ipsec ipv4
!
no access-list 100 permit gre host 12.12.12.1 host 23.23.23.3
!






R3
==


!
int tu0
 tunnel mode ipsec ipv4
!
no access-list 100 permit gre host 23.23.23.3 host 12.12.12.1
!
=========================================================================


HTH...
Deepak Arora
Evil CCIE

3 comments:

Praveen said...

Deepak friend nice explanation but lab ip schema is bit fussy as you diagram and config is diff pls a small request put one more diagram with ip address you use in you config so we know what is peer ip address and what is tunnel ip address

Deepak Arora said...

Pls read 13.13.13.x/24 as 23.23.23.x/24. Rest Is Fine.

Anonymous said...

Hi Deepak,

Can you just post how I can verify if tunnel is running good and up..and if not what can be possibilities and possible fix..

thanks!