Issue
In this example we
will configure IPSEC site to site VPN between R1 and R5 to gain connectivity between
SW1 LAN and SW2 LAN , as well the simulation involved BGP peering in order to practice
BGP relations and attributes
Configuration
R1
hostname
R1
interface
Loopback0
ip address 62.215.1.1 255.255.255.255
interface
Serial0/0
ip address 62.215.12.1 255.255.255.0
encapsulation ppp
interface
FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
speed 100
full-duplex
router
ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 62.215.1.1 0.0.0.0 area 0
network 62.215.12.1 0.0.0.0 area 0
R2
hostname
R2
interface
Loopback0
ip address 62.215.2.2 255.255.255.255
interface
Serial0/0
ip address 109.107.23.2 255.255.255.0
interface
Serial0/1
ip address 62.215.12.2 255.255.255.0
encapsulation ppp
router
ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 62.215.2.2 0.0.0.0 area 0
network 62.215.12.2 0.0.0.0 area 0
R3
hostname
R3
interface
Serial0/0
ip address 109.107.23.3 255.255.255.0
encapsulation ppp
interface
Serial0/1
ip address 109.107.34.3 255.255.255.0
encapsulation ppp
R4
hostname
R4
interface
Loopback0
ip address 212.118.4.4 255.255.255.255
interface
Serial0/0
ip address 109.107.34.4 255.255.255.0
encapsulation
ppp
interface
Serial0/1
ip address 212.118.45.4 255.255.255.0
encapsulation
ppp
router
isis 1
net 49.0001.0000.0000.0004.00
is-type level-2-only
interface
Loopback0
ip
router isis 1
interface
Serial0/1
ip
router isis 1
encapsulation ppp
R5
hostname
R5
R5#sh
run int lo0
interface
Loopback0
ip address 212.118.5.5 255.255.255.255
ip router isis 1
interface
Serial0/0
ip address 212.118.45.5 255.255.255.0
ip router isis 1
encapsulation ppp
interface
FastEthernet0/0
ip address 192.168.5.5 255.255.255.0
speed 100
full-duplex
router
isis 1
net 49.0001.0000.0000.0005.00
is-type level-2-only
interface
Loopback0
ip router isis 1
interface
Serial0/0
ip router isis 1
BGP
Configuration
R1
router
bgp 100
no bgp default ipv4-unicast
neighbor
62.215.2.2 remote-as 100
neighbor 62.215.2.2 update-source Loopback0
address-family
ipv4
neighbor 62.215.2.2 activate
network 62.215.1.1 mask 255.255.255.255
R2
router
bgp 100
no bgp default ipv4-unicast
neighbor 62.215.1.1 remote-as 100
neighbor 62.215.1.1 update-source Loopback0
neighbor 109.107.23.3 remote-as 300
address-family
ipv4
neighbor 62.215.1.1 activate
neighbor 62.215.1.1 next-hop-self
neighbor 109.107.23.3 activate
network 62.215.2.2 mask 255.255.255.255
network 62.215.12.0 mask 255.255.255.0
R3
router
bgp 300
no bgp default ipv4-unicast
neighbor 109.107.23.2 remote-as 100
neighbor 109.107.34.4 remote-as 200
!
address-family ipv4
neighbor 109.107.23.2 activate
neighbor 109.107.34.4 activate
R4
router
bgp 200
no bgp default ipv4-unicast
neighbor
109.107.34.3 remote-as 300
neighbor 212.118.5.5 remote-as 200
neighbor 212.118.5.5 update-source Loopback0
address-family
ipv4
neighbor 109.107.34.3 activate
neighbor 212.118.5.5 activate
neighbor 212.118.5.5 next-hop-self
network 212.118.4.4 mask 255.255.255.255
network 212.118.45.0
R5
router
bgp 200
no bgp default ipv4-unicast
neighbor
212.118.4.4 remote-as 200
neighbor 212.118.4.4 update-source Loopback0
address-family
ipv4
neighbor 212.118.4.4 activate
no auto-summary
no synchronization
network 212.118.5.5 mask 255.255.255.255
R1#sh
ip bgp
BGP
table version is 9, local router ID is 62.215.1.1
Status
codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin
codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>
62.215.1.1/32 0.0.0.0 0 32768 i
r>i62.215.2.2/32 62.215.2.2 0 100
0 i
r>i62.215.12.0/24 62.215.2.2 0 100
0 i
*>i212.118.4.4/32 62.215.2.2 0 100
0 300 200 i
*>i212.118.5.5/32 62.215.2.2 0 100
0 300 200 i
*>i212.118.45.0 62.215.2.2 0
100 0 300 200 i
R1#ping
212.118.5.5
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 212.118.5.5, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 4/12/32 ms
R1#ping
212.118.45.5
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 212.118.45.5, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms
R5#sh
ip bgp
BGP
table version is 9, local router ID is 212.118.5.5
Status
codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin
codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i62.215.1.1/32 212.118.4.4 0 100
0 300 100 i
*>i62.215.2.2/32 212.118.4.4 0 100
0 300 100 i
*>i62.215.12.0/24 212.118.4.4 0 100
0 300 100 i
r>i212.118.4.4/32 212.118.4.4 0 100
0 i
*>
212.118.5.5/32 0.0.0.0 0 32768 i
r>i212.118.45.0 212.118.4.4 0 100
0 i
R5#ping
62.215.1.1
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 62.215.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 8/13/16 ms
R5#ping
62.215.12.1
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 62.215.12.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 8/21/32 ms
VPN
Configuration
R1
crypto
isakmp policy 1
encr aes 128
hash sha
authentication pre-share
group 2
lifetime 86400
crypto
isakmp key 6 cisco address 212.118.45.5 no-xauth
crypto
ipsec transform-set SET esp-aes esp-sha-hmac
crypto
map MAP 1 ipsec-isakmp
set peer 212.118.45.5
set transform-set SET
match address 100
access-list
100 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
interface
Serial0/0
crypto
map MAP
ip
route 192.168.5.0 255.255.255.0 62.215.12.2
R5
crypto
isakmp policy 1
encr aes 128
hash sha
authentication pre-share
group 2
lifetime 86400
crypto
isakmp key 6 cisco address 62.215.12.1 no-xauth
crypto
ipsec transform-set SET esp-aes esp-sha-hmac
crypto
map MAP 1 ipsec-isakmp
set peer 62.215.12.1
set transform-set SET
match address 105
access-list
105 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
interface
Serial0/0
crypto
map MAP
ip
route 192.168.1.0 255.255.255.0 212.118.45.4
R1#sh
crypto isakmp sa
IPv4
Crypto ISAKMP SA
dst src state conn-id slot status
62.215.12.1 212.118.45.5 QM_IDLE 1001 0 ACTIVE
IPv6
Crypto ISAKMP SA
R5#sh
crypto isakmp sa
IPv4
Crypto ISAKMP SA
dst src state conn-id slot status
62.215.12.1 212.118.45.5 QM_IDLE 1001 0 ACTIVE
IPv6
Crypto ISAKMP SA
R1#sh
crypto ipsec sa
interface:
Serial0/0
Crypto map tag: MAP, local addr 62.215.12.1
protected vrf: (none)
local
ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.5.0/255.255.255.0/0/0)
current_peer 212.118.45.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts
digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts
verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr.
failed: 0
#pkts not decompressed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 62.215.12.1, remote
crypto endpt.: 212.118.45.5
path mtu 1500, ip mtu 1500, ip mtu idb
Serial0/0
current outbound spi:
0x4DE15982(1306614146)
inbound esp sas:
spi: 0x6B417577(1799452023)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: MAP
sa timing: remaining key lifetime
(k/sec): (4421195/6)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
spi: 0xF46F0AD7(4100917975)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: 3, crypto map: MAP
sa timing: remaining key lifetime
(k/sec): (4415971/3417)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC7E81C23(3353877539)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: MAP
sa timing: remaining key lifetime
(k/sec): (4421195/6)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x4DE15982(1306614146)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: 4, crypto map: MAP
sa timing: remaining key lifetime
(k/sec): (4415971/3417)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R5#sh
crypto ipsec sa
interface:
Serial0/0
Crypto map tag: MAP, local addr
212.118.45.5
protected vrf: (none)
local
ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0)
current_peer 62.215.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts
digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts
verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr.
failed: 0
#pkts not decompressed: 0, #pkts decompress
failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 212.118.45.5, remote
crypto endpt.: 62.215.12.1
path mtu 1500, ip mtu 1500, ip mtu idb
Serial0/0
current outbound spi:
0xF46F0AD7(4100917975)
inbound esp sas:
spi: 0x4DE15982(1306614146)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: 3, crypto map: MAP
sa timing: remaining key lifetime
(k/sec): (4546732/3403)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF46F0AD7(4100917975)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: 4, crypto map: MAP
sa timing: remaining key lifetime
(k/sec): (4546732/3403)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#ping
192.168.5.5 source 192.168.1.1
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.5.5, timeout is 2 seconds:
Packet
sent with a source address of 192.168.1.1
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/17/32 ms
R5#ping
192.168.1.1 source 192.168.5.5
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet
sent with a source address of 192.168.5.5
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms
