Scribd Logo
Upload

Welcome to Scribd!

  • IOS Flex IPv4 Site

    Uploaded by

    Madhu Thamatam
    13 views7 pages
    IOS Flex vpn Configurastion

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    IOS Flex vpn Configurastion

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views7 pages

    IOS Flex IPv4 Site

    Uploaded by

    Madhu Thamatam
    IOS Flex vpn Configurastion

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    IOS Flex IPv4 Site-Site With Pre-Shared

    R1
    int l1
    ip add 192.168.101.1 255.255.255.0
    no shutdown
    int s1/0
    no shutdown
    ip add 101.1.1.100 255.255.255.0
    no shutdown
    ip route 0.0.0.0 0.0.0.0 101.1.1.1
    ISP
    interface serial 0/0
    no shutdown
    ip add 101.1.1.1 255.255.255.0
    no shutdown
    int s0/1
    no shutdown
    ip add 102.1.1.1 255.255.255.0
    no shutdown
    R2
    int l1
    ip add 192.168.102.1 255.255.255.0
    no shutdown
    int s1/0
    no shutdown
    ip add 102.1.1.100 255.255.255.0
    no shutdown
    ip route 0.0.0.0 0.0.0.0 102.1.1.1
    R1
    crypto ikev2 proposal 1
    encryption aes-cbc-128
    integrity sha1
    group 5
    crypto ikev2 policy 1
    proposal 1

    crypto ikev2 keyring 1


    peer any
    address 0.0.0.0 0.0.0.0
    pre-shared-key shiva

    crypto ikev2 profile 1


    match identity remote address 0.0.0.0
    authentication remote pre-share
    authentication local pre-share
    keyring local 1
    crypto ipsec security-association lifetime seconds 1800
    crypto ipsec transform-set t-set esp-aes esp-sha-hmac
    mode tunnel
    crypto map test 10 ipsec-isakmp
    set peer 102.1.1.100
    set transform-set t-set
    set ikev2-profile 1
    match address 101
    access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255

    int s1/0
    crypto map test

    R2
    crypto ikev2 proposal 1
    encryption aes-cbc-128
    integrity sha1
    group 5
    crypto ikev2 policy 1
    proposal 1
    crypto ikev2 keyring 1
    peer any
    address 0.0.0.0 0.0.0.0
    pre-shared-key shiva
    !
    crypto ikev2 profile 1
    match identity remote address 0.0.0.0
    authentication remote pre-share
    authentication local pre-share
    keyring local 1
    crypto ipsec security-association lifetime seconds 1800
    crypto ipsec transform-set t-set esp-aes esp-sha-hmac
    mode tunnel
    crypto map test 10 ipsec-isakmp
    set peer 101.1.1.100
    set transform-set t-set
    set ikev2-profile 1
    match address 102
    access-list 102 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
    int s1/0
    crypto map test

    R1#ping 192.168.102.1 source lo1 repeat 100


    Type escape sequence to abort.
    Sending 100, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
    Packet sent with a source address of 192.168.101.1
    .!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Success rate is 99 percent (99/100), round-trip min/avg/max = 72/92/132 ms
    R2#ping 192.168.101.1 source lo1 repeat 100
    Type escape sequence to abort.
    Sending 100, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
    Packet sent with a source address of 192.168.102.1
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Success rate is 100 percent (100/100), round-trip min/avg/max = 64/92/116
    ms

    R1#sh crypto ikev2 sa detailed

    IPv4 Crypto IKEv2 SA


    Tunnel-id Local Remote fvrf/ivrf
    Status
    1 101.1.1.100/500 102.1.1.100/500 none/none
    READY
    Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK,
    Auth verify: PSK
    Life/Active Time: 86400/41 sec
    CE id: 1001, Session-id: 1
    Status Description: Negotiation done
    Local spi: 18FBD05A59B67CF7 Remote spi: C5B45B7901514743
    Local id: 101.1.1.100
    Remote id: 102.1.1.100
    Local req msg id: 2 Remote req msg id: 0
    Local next msg id: 2 Remote next msg id: 0
    Local req queued: 2 Remote req queued: 0
    Local window: 5 Remote window: 5
    DPD configured for 0 seconds, retry 0
    NAT-T is not detected
    Cisco Trust Security SGT is disabled
    Initiator of SA : Yes
    IPv6 Crypto IKEv2 SA

    R2#sh crypto ikev2 sa detailed


    IPv4 Crypto IKEv2 SA
    Tunnel-id Local Remote fvrf/ivrf
    Status
    1 102.1.1.100/500 101.1.1.100/500 none/none
    READY
    Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK,
    Auth verify: PSK

    ife/Active Time: 86400/55 sec


    CE id: 1001, Session-id: 1
    Status Description: Negotiation done
    Local spi: C5B45B7901514743 Remote spi: 18FBD05A59B67CF7
    Local id: 102.1.1.100
    Remote id: 101.1.1.100
    Local req msg id: 0 Remote req msg id: 2
    Local next msg id: 0 Remote next msg id: 2
    Local req queued: 0 Remote req queued: 2
    Local window: 5 Remote window: 5
    DPD configured for 0 seconds, retry 0
    NAT-T is not detected
    Cisco Trust Security SGT is disabled
    Initiator of SA : No

    IPv6 Crypto IKEv2 SA

    R1# sh crypto ipsec sa


    interface: Serial1/0
    Crypto map tag: test, local addr 101.1.1.100
    protected vrf: (none)
    local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
    current_peer 102.1.1.100 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
    #pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
    local crypto endpt.: 101.1.1.100, remote crypto endpt.: 102.1.1.100
    path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
    current outbound spi: 0xD1955F55(3516227413)
    PFS (Y/N): N, DH group: none
    inbound esp sas:
    spi: 0xFF2F426A(4281287274)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: test
    sa timing: remaining key lifetime (k/sec): (4332206/1736)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)

    inbound ah sas:
    inbound pcp sas:

    outbound esp sas:


    spi: 0xD1955F55(3516227413)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: test
    sa timing: remaining key lifetime (k/sec): (4332206/1736)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)
    outbound ah sas:
    outbound pcp sas:

    R2#sh crypto ipsec sa


    interface: Serial1/0
    Crypto map tag: test, local addr 102.1.1.100
    protected vrf: (none)
    local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
    current_peer 101.1.1.100 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
    #pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
    local crypto endpt.: 102.1.1.100, remote crypto endpt.: 101.1.1.100
    path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
    current outbound spi: 0xFF2F426A(4281287274)
    PFS (Y/N): N, DH group: none
    inbound esp sas:
    spi: 0xD1955F55(3516227413)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: test
    sa timing: remaining key lifetime (k/sec): (4209977/1722)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    spi: 0xFF2F426A(4281287274)
    transform: esp-aes esp-sha-hmac ,

    in use settings ={Tunnel, }


    conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: test
    sa timing: remaining key lifetime (k/sec): (4209977/1722)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)
    outbound ah sas:
    outbound pcp sas:
    R1# sh crypto engine connections active

    Crypto Engine Connections


    ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
    1 IPsec AES+SHA 199 0 0 101.1.1.100
    2 IPsec AES+SHA 0 199 199 101.1.1.100
    1001 IKEv2 SHA+AES 0 0 0 101.1.1.100
    R2#sh crypto engine connections active
    Crypto Engine Connections
    ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
    1 IPsec AES+SHA 0 199 199 102.1.1.100
    2 IPsec AES+SHA 199 0 0 102.1.1.100
    1001 IKEv2 SHA+AES 0 0 0 102.1.1.100

    You might also like