CCNP-ISCW GRE over IPSec with OSPF
ISWC IPSec LAB with OSPF through GRE tunnel
This is a follow on lab from the basic site to site lab I created a few days ago it has the addition of GRE so I can have dynamic routing protocols accross the VPN.
Here is the relevant config for the router IPSec_remote, notice that the tunnel interface is defined but shut down on this side
! hostname IPSec_remote ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 lifetime 32000 crypto isakmp key 6 poophead address 50.0.0.10 ! ! crypto ipsec transform-set TOHO ah-sha-hmac esp-aes ! crypto map TOHO 10 ipsec-isakmp set peer 50.0.0.10 set transform-set TOHO match address 100 ! ! ! interface Loopback0 ip address 192.168.200.200 255.255.255.255 ! interface Tunnel1 ip address 10.0.2.2 255.255.255.252 shutdown tunnel source FastEthernet0 tunnel destination 50.0.0.10 ! interface Ethernet0 ip address 10.0.1.254 255.255.255.0 half-duplex ! interface FastEthernet0 ip address 50.0.0.1 255.255.255.252 speed 100 full-duplex crypto map TOHO ! router ospf 1 log-adjacency-changes network 10.0.1.0 0.0.0.255 area 1 network 10.0.2.0 0.0.0.3 area 1 network 192.168.200.0 0.0.0.255 area 1 ! ip route 0.0.0.0 0.0.0.0 50.0.0.2 ! ! access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 100 permit icmp 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 100 permit gre any any !
Here is route table, only connected and static routes
! IPSec_remote#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 50.0.0.2 to network 0.0.0.0 50.0.0.0/30 is subnetted, 1 subnets C 50.0.0.0 is directly connected, FastEthernet0 192.168.200.0/32 is subnetted, 1 subnets C 192.168.200.200 is directly connected, Loopback0 10.0.0.0/24 is subnetted, 1 subnets C 10.0.1.0 is directly connected, Ethernet0 S* 0.0.0.0/0 [1/0] via 50.0.0.2
Here we can see that the IPSec VPN is up with peer 50.0.0.10 which is R4
IPSec_remote#sh cry isakmp sa dst src state conn-id slot status 50.0.0.10 50.0.0.1 QM_IDLE 1 0 ACTIVE
We can ping over to e0 interface on R4 which shows us that the VPN is working.
IPSec_remote#ping 10.0.0.254 source e0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.254, timeout is 2 seconds: Packet sent with a source address of 10.0.1.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 72/121/224 ms
Now lets see the config on R4(HO-VPN-1)
! hostname HO-VPN-1 ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 lifetime 32000 crypto isakmp key 6 renshaw address 50.0.0.1 ! ! crypto ipsec transform-set TOVPNREMOTE ah-sha-hmac esp-aes ! crypto map TOVPNREMOTE 10 ipsec-isakmp set peer 50.0.0.1 set transform-set TOVPNREMOTE match address 100 ! interface Loopback0 ip address 192.168.100.100 255.255.255.255 ! interface Tunnel1 ip address 10.0.2.1 255.255.255.252 tunnel source FastEthernet0 tunnel destination 50.0.0.1 ! interface Ethernet0 ip address 10.0.0.254 255.255.255.0 half-duplex ! interface FastEthernet0 ip address 50.0.0.10 255.255.255.248 speed 100 full-duplex crypto map TOVPNREMOTE ! router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.255 area 1 network 10.0.2.0 0.0.0.3 area 1 network 192.168.100.0 0.0.0.255 area 1 ! ip route 0.0.0.0 0.0.0.0 50.0.0.9 ! ! access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 100 permit icmp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 100 permit gre any any !
Lets look at the route table, again all connected and static only
HO-VPN-1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 50.0.0.9 to network 0.0.0.0 50.0.0.0/29 is subnetted, 1 subnets C 50.0.0.8 is directly connected, FastEthernet0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.2.0/30 is directly connected, Tunnel1 C 10.0.0.0/24 is directly connected, Ethernet0 192.168.100.0/32 is subnetted, 1 subnets C 192.168.100.100 is directly connected, Loopback0 S* 0.0.0.0/0 [1/0] via 50.0.0.9
Lets ping to e0 on IPSec_remote router
HO-VPN-1#ping 10.0.1.253 sou e0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.1.253, timeout is 2 seconds: Packet sent with a source address of 10.0.0.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 64/318/704 ms
Ok so we have seen the config for both routers and we saw the IPsec tunnel no lets do a “no shut” on the tunnel interface on the IPSec_remote router, we should then see a OSPF message as OSPF forms a neighbour adjacency..
IPSec_remote#conf t Enter configuration commands, one per line. End with CNTL/Z. IPSec_remote(config)#int tun 1 IPSec_remote(config-if)#no shut IPSec_remote(config-if)# *Mar 1 00:22:58.295: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.100.100 on Tunnel1 from LOADING to FULL, Loading Done *Mar 1 00:22:59.271: %LINK-3-UPDOWN: Interface Tunnel1, changed state to up *Mar 1 00:23:00.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
and no as seem from R4(HO-VPN-1)
HO-VPN-1# *Mar 1 00:24:02.395: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.200.200 on Tunnel1 from LOADING to FULL, Loading Done
Lets look at the routing table of both routers we should see the OSPF learned routes
IPSec_remote#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 50.0.0.2 to network 0.0.0.0 50.0.0.0/30 is subnetted, 1 subnets C 50.0.0.0 is directly connected, FastEthernet0 192.168.200.0/32 is subnetted, 1 subnets C 192.168.200.200 is directly connected, Loopback0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.0.2.0/30 is directly connected, Tunnel1 O 10.0.0.0/24 [110/11121] via 10.0.2.1, 00:00:54, Tunnel1 C 10.0.1.0/24 is directly connected, Ethernet0 192.168.100.0/32 is subnetted, 1 subnets O 192.168.100.100 [110/11112] via 10.0.2.1, 00:00:54, Tunnel1 S* 0.0.0.0/0 [1/0] via 50.0.0.2
R4 routing table
HO-VPN-1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 50.0.0.9 to network 0.0.0.0 50.0.0.0/29 is subnetted, 1 subnets C 50.0.0.8 is directly connected, FastEthernet0 192.168.200.0/32 is subnetted, 1 subnets O 192.168.200.200 [110/11112] via 10.0.2.2, 00:01:30, Tunnel1 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.0.2.0/30 is directly connected, Tunnel1 C 10.0.0.0/24 is directly connected, Ethernet0 O 10.0.1.0/24 [110/11121] via 10.0.2.2, 00:01:30, Tunnel1 192.168.100.0/32 is subnetted, 1 subnets C 192.168.100.100 is directly connected, Loopback0 S* 0.0.0.0/0 [1/0] via 50.0.0.9