Tecnologias cobertas
• mGRE
• NHRP
• EIGRP
• IPsec
Overview
Você foi encarregado de configurar DMVPN, IPsec e roteamento EIGRP em sua rede.
Este laboratório simula uma conexão entre três sites usando DMVPN sobre IPsec para garantir segurança e escalabilidade.
A topologia usada no laboratório será a seguinte:
Topologia EVE-NG:
Pré-requisitos
- Criar a topologia.
- Ajustar as configurações dos roteadores que fazem parte dos ISPs:
No ISP-1, configure o seguinte:
interface g0/0
description LINK for R2 Site 2
ip address 25.2.2.1 255.255.255.252
no shutdown
exit
interface g0/1
description LINK for ISP-2
ip address 12.12.12.1 255.255.255.0
no shutdown
exit
interface g0/2
description LINK for ISP-3
ip address 13.13.13.1 255.255.255.0
no shutdown
exit
router bgp 100
network 12.12.12.0 mask 255.255.255.0
network 13.13.13.0 mask 255.255.255.0
network 25.2.2.0 mask 255.255.255.252
neighbor 12.12.12.2 remote-as 200
neighbor 13.13.13.3 remote-as 300
No ISP-2, configure o seguinte:
hostname ISP-2
interface g0/0
description LINK for R1 Site 1
ip address 15.1.1.2 255.255.255.252
no shutdown
exit
interface g0/1
description LINK for ISP-2
ip address 12.12.12.2 255.255.255.0
no shutdown
exit
interface g0/2
description LINK for ISP-3
ip address 23.23.23.2 255.255.255.0
no shutdown
exit
router bgp 200
network 12.12.12.0 mask 255.255.255.0
network 15.1.1.0 mask 255.255.255.252
network 23.23.23.0 mask 255.255.255.0
neighbor 12.12.12.1 remote-as 100
neighbor 23.23.23.3 remote-as 300
No ISP-3, configure o seguinte:
hostname ISP-3
interface g0/0
description LINK for R3 Site 3
ip address 35.3.3.33 255.255.255.0
no shutdown
exit
interface g0/1
description LINK for ISP-2
ip address 23.23.23.3 255.255.255.0
no shutdown
exit
interface g0/2
description LINK for ISP-1
ip address 13.13.13.3 255.255.255.0
no shutdown
exit
router bgp 300
network 13.13.13.0 mask 255.255.255.0
network 23.23.23.0 mask 255.255.255.0
network 35.3.3.0 mask 255.255.255.0
neighbor 13.13.13.1 remote-as 100
neighbor 23.23.23.2 remote-as 200
NOTA: Esta configuração nos ISPs é uma configuração básica à nível de laboratório.
No R1, configure o seguinte:
hostname R1
interface GigabitEthernet0/0
description LINK Local Network
ip address 10.1.0.1 255.255.255.0
no shutdown
exit
interface GigabitEthernet0/1
description LINK for ISP-2
ip address 15.1.1.1 255.255.255.252
no shutdown
exit
ip route 0.0.0.0 0.0.0.0 15.1.1.2
No R2, configure o seguinte:
hostname R2
interface GigabitEthernet0/0
description LINK Local Network
ip address 10.2.0.1 255.255.255.0
no shutdown
exit
interface GigabitEthernet0/2
description LINK for ISP-1
ip address 25.2.2.2 255.255.255.252
no shutdown
exit
ip route 0.0.0.0 0.0.0.0 25.2.2.1
No R3, configure o seguinte:
hostname R3
interface GigabitEthernet0/0
description LINK Local Network
ip address 10.3.0.1 255.255.255.0
no shutdown
exit
interface GigabitEthernet0/3
description LINK for ISP-3
ip address 35.3.3.3 255.255.255.0
no shutdown
exit
ip route 0.0.0.0 0.0.0.0 35.3.3.33
Após concluir a configuração básica nos ISPs e em R1, R2 e R3, executaremos as tarefas.
- Tarefa 1.1 R1, R2 e R3 estão em uma topologia hub and spoke, onde R1 é o hub e R2 e R3 são os spokes. Configure DMVPN como a tecnologia subjacente. Interface de origem G0/1(R1), G0/2(R2), G0/3(R3), endereço IP do túnel conforme a topologia, MTU 1400 e MSS 1360, mGRE e chave de túnel 6783.
Em R1, configure o seguinte:
R1(config)#interface tunnel 0
R1(config-if)#description DMVPN HUB
R1(config-if)#ip address 172.16.123.1 255.255.255.0
R1(config-if)#ip mtu 1400
R1(config-if)#ip tcp adjust-mss 1360
R1(config-if)#tunnel source g0/1
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#tunnel key 6783
R1(config-if)#end
No R2, configure o seguinte:
R2(config)#interface tunnel 0
R2(config-if)#description DMVPN Spoke Site 2
R2(config-if)#ip address 172.16.123.2 255.255.255.0
R2(config-if)#ip mtu 1400
R2(config-if)#ip tcp adjust-mss 1360
R2(config-if)#tunnel source g0/2
R2(config-if)#tunnel mode gre multipoint
R2(config-if)#tunnel key 6783
R2(config-if)#end
No R3, configure o seguinte:
R3(config)#interface tunnel 0
R3(config-if)#description DMVPN Spoke Site 3
R3(config-if)#ip address 172.16.123.3 255.255.255.0
R3(config-if)#ip mtu 1400
R3(config-if)#ip tcp adjust-mss 1360
R3(config-if)#tunnel source g0/3
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#tunnel key 6783
R3(config-if)#end
- Tarefa 1.2 Configurar NHRP em R1, que é o HUB. Use o comando para autenticar com a senha Cisco!23, configure o mapeamento multicast dinâmico para que, quando os dispositivos se registrarem, eles mapeiem os endereços IP alcançáveis dinamicamente. Configure um Network ID com o identificador 123 e use o comando para implementar a fase 3.
No R1, configure o seguinte:
R1(config)#interface tunnel 0
R1(config-if)#ip nhrp authentication Cisco!23
R1(config-if)#ip nhrp map multicast dynamic
R1(config-if)#ip nhrp network-id 123
R1(config-if)#ip nhrp redirect
R1(config-if)#end
Depois de configurar o R1, use o comando debug nhrp para exibir informações sobre o que acontece quando os Spokes se conectam.
R1#debug nhrp
- Tarefa 1.3 Nos Spokes, configure a autenticação com a senha Cisco!23. Mapeie o endereço do túnel do Hub para seu endereço alcançável usando o comando nhrp map. Configure o servidor nh e aponte-o para o IP do túnel do Hub. Configure o mapeamento multicast apontando para o endereço alcançável do Hub. Configure um Network ID com o identificador 123. Configure o nhrp shortcut para permitir que os spokes aprendam e enviem tráfego entre os spokes.
No R2, configure o seguinte:
R2(config)#interface tunnel 0
R2(config-if)# ip nhrp authen Cisco!23
R2(config-if)# ip nhrp map 172.16.123.1 15.1.1.1
R2(config-if)# ip nhrp map multicast 15.1.1.1
R2(config-if)# ip nhrp network-id 123
R2(config-if)# ip nhrp nhs 172.16.123.1
R2(config-if)# ip nhrp shortcut
R2(config-if)# end
No R3, configure o seguinte:
R3(config)#interface tunnel 0
R3(config-if)# ip nhrp authen Cisco!23
R3(config-if)# ip nhrp map 172.16.123.1 15.1.1.1
R3(config-if)# ip nhrp map multicast 15.1.1.1
R3(config-if)# ip nhrp network-id 123
R3(config-if)# ip nhrp nhs 172.16.123.1
R3(config-if)# ip nhrp shortcut
R3(config-if)# end
- Tarefa 1.4 realizar uma verificação de configuração na interface do tunnel 0.
Em R2 ou R3:
R3#show run int tunnel 0
interface Tunnel0
description DMVPN Spoke Site 3
ip address 172.16.123.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Cisco!23
ip nhrp map 172.16.123.1 15.1.1.1
ip nhrp map multicast 15.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.123.1
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/3
tunnel mode gre multipoint
tunnel key 6783
end
No R1, verifique o debug:
NHRP: Adding Tunnel Endpoints (VPN: 172.16.123.2, NBMA: 25.2.2.2)
Added dynamic multicast mapping for NBMA: 25.2.2.2
NHRP: Adding Tunnel Endpoints (VPN: 172.16.123.3, NBMA: 35.3.3.3)
Adding Tunnel Endpoints (VPN: 172.16.123.3, NBMA: 35.3.3.3)
- Tarefa 1.5 Verifique os mapeamentos nhrp em R1, R2 e R3
Em R1:
R1#show ip nhrp
172.16.123.2/32 via 172.16.123.2
Tunnel0 created 00:04:20, expire 01:55:39
Type: dynamic, Flags: unique registered nhop
NBMA address: 25.2.2.2
172.16.123.3/32 via 172.16.123.3
Tunnel0 created 00:02:38, expire 01:57:21
Type: dynamic, Flags: unique registered nhop
NBMA address: 35.3.3.3
O Type: dynamic, mostrando que eles foram apreendidos dinamicamente, também mostra o endereço acessível de R2 e R3.
Em R2 e R3:
R2#show ip nhrp
172.16.123.1/32 via 172.16.123.1
Tunnel0 created 00:07:24, never expire
Type: static, Flags:
NBMA address: 15.1.1.1
R3#show ip nhrp
172.16.123.1/32 via 172.16.123.1
Tunnel0 created 00:05:44, never expire
Type: static, Flags:
NBMA address: 15.1.1.1
Note que os Spokes só sabem sobre o Hub, isso porque mapeamos estaticamente o endereço do túnel para o endereço NBMA.
- Tarefa 1.6 Adicionar roteamento, usar o protocolo EIGRP, publicar redes locais e túneis.
Em R1, R2 e R3 configure o seguinte:
(config)#router eigrp 1
(config-router)#network 10.0.0.0
(config-router)#network 172.16.123.0 0.0.0.255
(config-router)#end
Verifique as interfaces que participam do roteamento:
R1#show ip eigrp interfaces
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/0 0 0/0 0/0 0 0/0 0 0
Tu0 2 0/0 0/0 8 6/227 50 0
No R2, digite o comando: show ip route eigrp
R2#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 25.2.2.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D 10.1.0.0/24 [90/26880256] via 172.16.123.1, 00:05:17, Tunnel0
No R2, observe que quando você insere o comando, a saída mostra apenas a rota local do R1, não a rota local do R3. O R1 sabe sobre a rede local do R3, mas não a está compartilhando devido ao split horizon.
O split horizon, por padrão, diz que se o R1 aprender uma rota por meio de uma interface (g0/1), ele não deve anunciar a mesma rede por meio da mesma interface. É por isso que o R1 está filtrando a rota 10.3 para o R2.
- Tarefa 1.7 Desabilitar o Split Horizon em R1.
No R1 configure o seguinte:
R1(config)#interface tunnel 0
R1(config-if)#no ip split-horizon eigrp 1
*Mar 23 13:52:41.055: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.123.3 (Tunnel0) is resync: split horizon changed
*Mar 23 13:52:41.056: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.123.2 (Tunnel0) is resync: split horizon changed
No R2, agora se usarmos o comando show ip route eigrp, será possível ver a rede 10.3 na tabela de roteamento.
R2#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 25.2.2.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.1.0.0/24 [90/26880256] via 172.16.123.1, 00:25:12, Tunnel0
D 10.3.0.0/24 [90/28160256] via 172.16.123.1, 00:02:09, Tunnel0
- Tarefa 1.8 Executar verificações.
No R1, verifique os túneis DMVPN:
R1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 25.2.2.2 172.16.123.2 UP 01:02:06 D
1 35.3.3.3 172.16.123.3 UP 01:00:24 D
A saída do comando mostra os endereços NBMA de R2 e R3, com seus respectivos endereços de túnel, na seção de atributos mostra a letra D, que representa Dynamic, pois foram aprendidos dinamicamente.
Outro comando em R1:
R1#show ip nhrp
172.16.123.2/32 via 172.16.123.2
Tunnel0 created 01:06:28, expire 01:33:31
Type: dynamic, Flags: unique registered used nhop
NBMA address: 25.2.2.2
172.16.123.3/32 via 172.16.123.3
Tunnel0 created 01:04:47, expire 01:35:12
Type: dynamic, Flags: unique registered used nhop
NBMA address: 35.3.3.3
A saída mostra informações sobre endereços de túnel e seus endereços NBMA.
No R2, o comando show dmvpn mostra a seguinte saída:
R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 15.1.1.1 172.16.123.1 UP 01:09:41 S
Atualmente, ele mostra o endereço do Hub, com o atributo Estático, porque o configuramos estaticamente.
- Tarefa 1.9 No R2, vamos executar um traceroute para o endereço local no R3:
No R2, use o comando:
R2#traceroute 10.3.0.50 source 10.2.0.1
Type escape sequence to abort.
Tracing the route to 10.3.0.50
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.123.1 16 msec 8 msec 8 msec
2 172.16.123.3 20 msec 9 msec 15 msec
3 10.3.0.50 6 msec 5 msec 5 msec
Execute o comando novamente:
R2#traceroute 10.3.0.50 source 10.2.0.1
Type escape sequence to abort.
Tracing the route to 10.3.0.50
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.123.3 4 msec 4 msec 4 msec
2 10.3.0.50 6 msec 5 msec 5 msec
O tráfego não passa mais pelo Hub, pois o R2 agora sabe o endereço do próximo salto.
Use o comando show ip route:
R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 25.2.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 25.2.2.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.1.0.0/24 [90/26880256] via 172.16.123.1, 00:55:07, Tunnel0
C 10.2.0.0/24 is directly connected, GigabitEthernet0/0
L 10.2.0.1/32 is directly connected, GigabitEthernet0/0
D % 10.3.0.0/24 [90/28160256] via 172.16.123.1, 00:32:04, Tunnel0
25.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 25.2.2.0/30 is directly connected, GigabitEthernet0/2
L 25.2.2.2/32 is directly connected, GigabitEthernet0/2
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.123.0/24 is directly connected, Tunnel0
L 172.16.123.2/32 is directly connected, Tunnel0
H 172.16.123.3/32 is directly connected, 00:26:47, Tunnel0
Note que o símbolo % representa a substituição do próximo salto.
Use o comando show ip cef 10.3.0.3:
R2#show ip cef 10.3.0.0
10.3.0.0/24
nexthop 172.16.123.3 Tunnel0
A saída mostra o endereço do túnel de R3, embora a tabela de roteamento mostre o endereço do túnel de R1, temos a substituição do próximo salto em vigor.
Agora, se usarmos o comando show ip nhrp, veremos vários mapeamentos que não existiam antes.
R2#show ip nhrp
10.2.0.0/24 via 172.16.123.2
Tunnel0 created 00:12:10, expire 01:47:49
Type: dynamic, Flags: router unique local
NBMA address: 25.2.2.2
(no-socket)
10.3.0.0/24 via 172.16.123.3
Tunnel0 created 00:33:13, expire 01:26:46
Type: dynamic, Flags: router used rib nho
NBMA address: 35.3.3.3
172.16.123.1/32 via 172.16.123.1
Tunnel0 created 01:30:59, never expire
Type: static, Flags: used
NBMA address: 15.1.1.1
172.16.123.2/32 via 172.16.123.2
Tunnel0 created 00:33:13, expire 01:26:46
Type: dynamic, Flags: router unique local
NBMA address: 25.2.2.2
(no-socket)
172.16.123.3/32 via 172.16.123.3
Tunnel0 created 00:33:13, expire 01:26:46
Type: dynamic, Flags: router nhop rib
NBMA address: 35.3.3.3
Se usarmos o comando show dmvpn novamente, agora temos as informações de endereçamento para R3, com o atributo DT1, que é Dynamic e a rota está instalada, e DT2, Dynamic e substituição do próximo salto.
Este é o benefício da fase 3 do DMVPN, temos redirecionamento no Hub e atalho (shortcut) nos Spokes.
R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 35.3.3.3 172.16.123.3 UP 00:35:01 DT2
172.16.123.3 UP 00:35:01 DT1
1 15.1.1.1 172.16.123.1 UP 01:32:27 S
- Tarefa 1.10 Implementação do IPsec
Em R1, R2 e R3, configure o seguinte:
(config)#crypto isakmp policy 1
(config-isakmp)#encryption aes 256
(config-isakmp)#hash sha512
(config-isakmp)#authentication pre-share
(config-isakmp)#group 16
(config-isakmp)#exit
(config)#crypto isakmp key Cisco!23 address 0.0.0.0
(config)#crypto ipsec transform-set LAB-Set esp-aes 256 esp-sha512-hmac
(cfg-crypto-trans)#mode transport
(cfg-crypto-trans)#exit
(config)#crypto ipsec profile LAB-IPsec-Profile
(ipsec-profile)#set transform-set LAB-Set
(ipsec-profile)#exit
(config)#interface tunnel 0
(config-if)#tunnel protection ipsec profile LAB-IPsec-Profile
(config-if)#end
Veja os túneis da Fase 1 do IKE que foram estabelecidos:
R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
25.2.2.2 35.3.3.3 QM_IDLE 1003 ACTIVE
15.1.1.1 25.2.2.2 QM_IDLE 1001 ACTIVE
35.3.3.3 25.2.2.2 QM_IDLE 1004 ACTIVE
25.2.2.2 15.1.1.1 QM_IDLE 1002 ACTIVE
R2#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec AES256+SHA512 0 9 9 25.2.2.2
2 IPsec AES256+SHA512 8 0 0 25.2.2.2
3 IPsec AES256+SHA512 0 0 0 25.2.2.2
4 IPsec AES256+SHA512 0 0 0 25.2.2.2
5 IPsec AES256+SHA512 0 413 413 25.2.2.2
6 IPsec AES256+SHA512 411 0 0 25.2.2.2
7 IPsec AES256+SHA512 0 0 0 25.2.2.2
8 IPsec AES256+SHA512 0 0 0 25.2.2.2
9 IPsec AES256+SHA512 0 0 0 25.2.2.2
10 IPsec AES256+SHA512 0 0 0 25.2.2.2
1001 IKE SHA512+AES256 0 0 0 25.2.2.2
1002 IKE SHA512+AES256 0 0 0 25.2.2.2
1003 IKE SHA512+AES256 0 0 0 25.2.2.2
1004 IKE SHA512+AES256 0 0 0 25.2.2.2
R2#show crypto map
Interfaces using crypto map NiStTeSt1:
Crypto Map IPv4 "Tunnel0-head-0" 65536 ipsec-isakmp
Profile name: LAB-IPsec-Profile
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
LAB-Set: { esp-256-aes esp-sha512-hmac } ,
}
Crypto Map IPv4 "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 15.1.1.1
Extended IP access list
access-list permit gre host 25.2.2.2 host 15.1.1.1
Current peer: 15.1.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
LAB-Set: { esp-256-aes esp-sha512-hmac } ,
}
Crypto Map IPv4 "Tunnel0-head-0" 65538 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 35.3.3.3
Extended IP access list
access-list permit gre host 25.2.2.2 host 35.3.3.3
Current peer: 35.3.3.3
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
LAB-Set: { esp-256-aes esp-sha512-hmac } ,
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
R2#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 25.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (25.2.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (35.3.3.3/255.255.255.255/47/0)
current_peer 35.3.3.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 25.2.2.2, remote crypto endpt.: 35.3.3.3
plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
current outbound spi: 0xCDF274E3(3455218915)
PFS (Y/N): N, DH group: none
