Networklearner

PC1:-

PC1> show ip

NAME : PC1[1]

IP/MASK : 10.1.1.10/24

GATEWAY : 10.1.1.1

DNS :

MAC : 00:50:79:66:68:00

LPORT : 10005

RHOST:PORT : 127.0.0.1:10004

MTU: : 1500

R1:-

interface FastEthernet0/0

description *** Connected to R2 ***

ip address 12.12.12.1 255.255.255.0

no shut

interface FastEthernet2/0

description *** Connected to PC1 ***

ip address 10.1.1.1 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 12.12.12.2 \\Default route towards Internet \\

crypto isakmp policy 1 \\Phase 1 parameters \\

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key EncryKey address 45.45.45.5 \\EncryKey is the pre share key.must match on both side

crypto ipsec transform-set VPN_R1_R5 esp-3des esp-md5-hmac \\ Phase 2 Parameters \\

crypto map ipsec__R1_R5 10 ipsec-isakmp

set peer 45.45.45.5 \\Peer router IP address \\

set transform-set VPN_R1_R5

match address Client_traffic

ip access-list extended Client_traffic

permit ip 10.1.1.0 0.0.0.255 50.1.1.0 0.0.0.255 \\interesting traffic allowed on IPsec tunnel \\

interface FastEthernet0/0

crypto map ipsec__R1_R5 \\Called crypto map under internet facing interface \\

no shut

R2:-

interface FastEthernet0/0

description *** Connected to R1 ***

ip address 12.12.12.2 255.255.255.0

no shut

interface FastEthernet0/1

description *** Connected to R3 ***

ip address 23.23.23.2 255.255.255.0

no shut

router eigrp 1 \\ Used to provide connectivity between R2 to R4 only \\

network 12.12.12.2 0.0.0.0

network 23.23.23.2 0.0.0.0

R3:-

interface FastEthernet0/1

description *** Connected to R2 ***

ip address 23.23.23.3 255.255.255.0

no shut

interface FastEthernet1/0

description *** Connected to R4 ***

ip address 34.34.34.3 255.255.255.0

no shut

router eigrp 1

network 23.23.23.3 0.0.0.0

network 34.34.34.3 0.0.0.0

R4:-

interface FastEthernet0/0

description *** Connected to R5 ***

ip address 45.45.45.4 255.255.255.0

speed auto

duplex auto

interface FastEthernet1/0

description *** Connected to R3 ***

ip address 34.34.34.4 255.255.255.0

no shut

router eigrp 1

network 34.34.34.4 0.0.0.0

network 45.45.45.4 0.0.0.0

R5:-

interface FastEthernet0/0

description *** Connected to R4 ***

ip address 45.45.45.5 255.255.255.0

interface FastEthernet2/0

description *** Connected to PC2 ***

ip address 50.1.1.1 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 45.45.45.4 \\Default route towards Internet \\

crypto isakmp policy 1 \\Phase 1 parameters \\

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key EncryKey address 12.12.12.1 \\EncryKey is the pre share key.must match on both side

crypto ipsec transform-set VPN_R1_R5 esp-3des esp-md5-hmac \\ Phase 2 Parameters \\

crypto map ipsec__R1_R5 10 ipsec-isakmp

set peer 12.12.12.1 \\Peer router IP address \\

set transform-set VPN_R1_R5

match address Client_traffic

interface FastEthernet0/0

crypto map ipsec__R1_R5

ip access-list extended Client_traffic

permit ip 50.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255 \\interesting traffic allowed on IPsec tunnel \\

PC2:-

PC2> show ip

NAME : PC2[1]

IP/MASK : 50.1.1.10/24

GATEWAY : 50.1.1.1

DNS :

MAC : 00:50:79:66:68:01

LPORT : 10011

RHOST:PORT : 127.0.0.1:10010

MTU: : 1500

Verification:-

PC1:-

PC1> ping 50.1.1.10 \\ Able to ping PC2 \\

84 bytes from 50.1.1.10 icmp_seq=1 ttl=62 time=109.170 ms

84 bytes from 50.1.1.10 icmp_seq=2 ttl=62 time=140.362 ms

84 bytes from 50.1.1.10 icmp_seq=3 ttl=62 time=93.574 ms

84 bytes from 50.1.1.10 icmp_seq=4 ttl=62 time=109.169 ms

84 bytes from 50.1.1.10 icmp_seq=5 ttl=62 time=124.765 ms

PC1> trace 50.1.1.10

trace to 50.1.1.10, 8 hops max, press Ctrl+C to stop

1 10.1.1.1 46.787 ms 15.596 ms 15.596 ms

2 * * *

3 *50.1.1.10 171.553 ms (ICMP type:3, code:3, Destination port unreachable)

R1:-

R1#show crypto isakmp sa \\ Phase 1 verfication \\

dst src state conn-id slot status

45.45.45.5 12.12.12.1 QM_IDLE 1 0 ACTIVE \\ QM_Idle is good \\

R1#show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: ipsec__R1_R5, local addr 12.12.12.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) \\interesting source traffic \\

remote ident (addr/mask/prot/port): (50.1.1.0/255.255.255.0/0/0) \\interesting destination traffic \\

current_peer 45.45.45.5 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 \\ Shows encrypted and decrypted packets \\

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 12.12.12.1, remote crypto endpt.: 45.45.45.5 \\ Tunnel end points \\

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xFB8DE8A1(4220381345)

inbound esp sas:

spi: 0xF4E3ADA1(4108561825)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2003, flow_id: SW:3, crypto map: ipsec__R1_R5

sa timing: remaining key lifetime (k/sec): (4501412/3567)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE \\ Phase2 is up \\

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xFB8DE8A1(4220381345)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: SW:2, crypto map: ipsec__R1_R5

sa timing: remaining key lifetime (k/sec): (4501412/3565)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE \\ Phase2 is up \\

outbound ah sas:

outbound pcp sas:

R1#sh ip access-lists

Extended IP access list Client_traffic

10 permit ip 10.1.1.0 0.0.0.255 50.1.1.0 0.0.0.255 (8 matches) \\ ACL hit count shows that traffic is hitting Router \\

R1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 12.12.12.2 to network 0.0.0.0

10.0.0.0/24 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, FastEthernet2/0

12.0.0.0/24 is subnetted, 1 subnets

C 12.12.12.0 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via 12.12.12.2

R2:-

R2#sh ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 23.23.23.3 Fa0/1 14 01:22:19 41 246 0 8

R2#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP

+ - replicated route, % - next hop override

Gateway of last resort is not set

12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 12.12.12.0/24 is directly connected, FastEthernet0/0

L 12.12.12.2/32 is directly connected, FastEthernet0/0

23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 23.23.23.0/24 is directly connected, FastEthernet0/1

L 23.23.23.2/32 is directly connected, FastEthernet0/1

34.0.0.0/24 is subnetted, 1 subnets

D 34.34.34.0 [90/30720] via 23.23.23.3, 01:22:14, FastEthernet0/1

45.0.0.0/24 is subnetted, 1 subnets

D 45.45.45.0 [90/33280] via 23.23.23.3, 01:21:20, FastEthernet0/1

R2#sh cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID

R3 Fas 0/1 174 R 7206VXR Fas 0/1

R1 Fas 0/0 163 R S I 3745 Fas 0/0

R3:-

R3#sh ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 34.34.34.4 Fa1/0 11 01:21:53 47 282 0 4

0 23.23.23.2 Fa0/1 12 01:22:47 1035 5000 0 4

R3#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP

+ - replicated route, % - next hop override

Gateway of last resort is not set

12.0.0.0/24 is subnetted, 1 subnets

D 12.12.12.0 [90/30720] via 23.23.23.2, 01:22:48, FastEthernet0/1

23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 23.23.23.0/24 is directly connected, FastEthernet0/1

L 23.23.23.3/32 is directly connected, FastEthernet0/1

34.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 34.34.34.0/24 is directly connected, FastEthernet1/0

L 34.34.34.3/32 is directly connected, FastEthernet1/0

45.0.0.0/24 is subnetted, 1 subnets

D 45.45.45.0 [90/30720] via 34.34.34.4, 01:21:49, FastEthernet1/0

R4:-

R4#sh ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(1)

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 34.34.34.3 Fa1/0 14 01:59:20 1270 5000 0 7

R4#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP

+ - replicated route, % - next hop override

Gateway of last resort is not set

12.0.0.0/24 is subnetted, 1 subnets

D 12.12.12.0 [90/33280] via 34.34.34.3, 01:59:21, FastEthernet1/0

23.0.0.0/24 is subnetted, 1 subnets

D 23.23.23.0 [90/30720] via 34.34.34.3, 01:59:21, FastEthernet1/0

34.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 34.34.34.0/24 is directly connected, FastEthernet1/0

L 34.34.34.4/32 is directly connected, FastEthernet1/0

45.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 45.45.45.0/24 is directly connected, FastEthernet0/0

L 45.45.45.4/32 is directly connected, FastEthernet0/0

R5:-

R5#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 45.45.45.4 to network 0.0.0.0

50.0.0.0/24 is subnetted, 1 subnets

C 50.1.1.0 is directly connected, FastEthernet2/0

45.0.0.0/24 is subnetted, 1 subnets

C 45.45.45.0 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via 45.45.45.4

R5#sh crypto isakmp sa \\ Phase1 is up \\

dst src state conn-id slot status

45.45.45.5 12.12.12.1 QM_IDLE 1 0 ACTIVE

R5#show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: ipsec__R1_R5, local addr 45.45.45.5

protected vrf: (none)

local ident (addr/mask/prot/port): (50.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

current_peer 12.12.12.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22 \\ Number of packets encrypted \\

#pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22 \\ Number of packets decrypted \\

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 45.45.45.5, remote crypto endpt.: 12.12.12.1 \\ Tunnel end points \\

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xF4E3ADA1(4108561825)

inbound esp sas:

spi: 0xFB8DE8A1(4220381345)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2003, flow_id: SW:3, crypto map: ipsec__R1_R5

sa timing: remaining key lifetime (k/sec): (4607263/1083)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE \\ Phase2 is up \\

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xF4E3ADA1(4108561825)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: SW:2, crypto map: ipsec__R1_R5

sa timing: remaining key lifetime (k/sec): (4607263/1068)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE \\ Phase2 is up \\

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (50.1.1.0/255.255.255.0/0/0)

current_peer 12.12.12.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 45.45.45.5, remote crypto endpt.: 12.12.12.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (50.1.1.0/255.255.255.0/10/0)

remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/10/0)

current_peer 12.12.12.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 45.45.45.5, remote crypto endpt.: 12.12.12.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

R5# show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 12.12.12.1 port 500 fvrf: (none) ivrf: (none)

Phase1_id: 12.12.12.1

Desc: (none)

IKE SA: local 45.45.45.5/500 remote 12.12.12.1/500 Active

Capabilities:D connid:1 lifetime:22:33:45

IPSEC FLOW: permit ip 50.1.1.0/255.255.255.0 10.1.1.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 22 drop 0 life (KB/Sec) 4607263/1056

Outbound: #pkts enc'ed 22 drop 2 life (KB/Sec) 4607263/1056

IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 50.1.1.0/255.255.255.0

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

IPSEC FLOW: permit 10 50.1.1.0/255.255.255.0 10.1.1.0/255.255.255.0

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

R5# ping 10.1.1.1 source 50.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 50.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 164/336/940 ms

ESW2#show crypto isakmp sa de

Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1 45.45.45.5 12.12.12.1 ACTIVE 3des md5 psk 2 22:21:05

Connection-id:Engine-id = 1:1(software)

PC2:-

PC2> ping 10.1.1.10 \\ Able to ping PC1 \\

84 bytes from 10.1.1.10 icmp_seq=1 ttl=62 time=77.979 ms

84 bytes from 10.1.1.10 icmp_seq=2 ttl=62 time=124.766 ms

84 bytes from 10.1.1.10 icmp_seq=3 ttl=62 time=140.361 ms

84 bytes from 10.1.1.10 icmp_seq=4 ttl=62 time=155.957 ms

84 bytes from 10.1.1.10 icmp_seq=5 ttl=62 time=109.170 ms

PC2> trace 10.1.1.10

trace to 10.1.1.10, 8 hops max, press Ctrl+C to stop

1 50.1.1.1 15.596 ms 15.595 ms 15.596 ms

2 10.1.1.10 140.361 ms (ICMP type:3, code:3, Destination port unreachable)

Networklearner

Saturday, 13 May 2017

BGP - Path Selection Criteria

Monday, 8 May 2017

IPsec configuration example

Blog Archive