iWAN – IPSec

Következzen az IPSec konfiguráció.

MPLS VRF routerek:

crypto keyring KEYRING vrf MPLS
 pre-shared-key address 0.0.0.0 0.0.0.0 key KEY
crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp profile ISAKMP-PROFILE
 keyring KEYRING
 match identity address 0.0.0.0 MPLS
 local-address XXXXXX
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec profile IPSEC-PROFILE
 set transform-set esp-3des-sha
 set isakmp-profile ISAKMP-PROFILE
!
!
interface Tunnel1
 tunnel protection ipsec profile IPSEC-PROFILE

INET VRF routerek:

crypto keyring INETKEYRING vrf INET
 pre-shared-key address 0.0.0.0 0.0.0.0 key INETKEY
crypto isakmp policy 20
 encr 3des
 authentication pre-share
crypto isakmp profile INET-ISAKMP-PROFILE
 keyring INETKEYRING
 match identity address 0.0.0.0 INET
 local-address xxxx
crypto ipsec transform-set INET-TS esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec profile IPSEC-PROFILE-INET
 set transform-set INET-TS
 set isakmp-profile INET-ISAKMP-PROFILE
int tu2
tunnel prot ipsec prof IPSEC-PROFILE-INET

EIGRP neighborshipek megvannak:

R2#sh ip eigrp ne | i Tunnel
4 192.168.200.2 Tu1 14 4d22h 5 100 0 38
3 192.168.200.3 Tu1 13 4d22h 4 100 0 29
R3#sh ip eigrp ne | i Tunnel
3 192.168.201.3 Tu2 10 00:02:47 13 100 0 33
4 192.168.201.2 Tu2 12 00:04:03 24 144 0 40
R3#

IKE ellenőrzés:

R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.18.200.1 172.18.202.1 QM_IDLE 1011 ACTIVE
172.18.200.1 172.18.204.1 QM_IDLE 1012 ACTIVE
IPv6 Crypto ISAKMP SA
R2#

IPSec ellenőrzése (encrypt-decrypt nem 0)

R2#sh crypto ipsec sa
interface: Tunnel1
 Crypto map tag: Tunnel1-head-0, local addr 172.18.200.1
protected vrf: (none)
 local ident (addr/mask/prot/port): (172.18.200.1/255.255.255.255/47/0)
 remote ident (addr/mask/prot/port): (172.18.202.1/255.255.255.255/47/0)
 current_peer 172.18.202.1 port 500
 PERMIT, flags={origin_is_acl,}
 #pkts encaps: 92125, #pkts encrypt: 92125, #pkts digest: 92125
 #pkts decaps: 92149, #pkts decrypt: 92149, #pkts verify: 92149

A következő részben már a PfRv3 konfig jön. 🙂