The following is an extract of what I setup using C3745 routers in GNS3. This has been a workable solution:-
The 2 serial links represent 2 x 2Mbps G.703 links over microwave radio links.
I have created 2 logical tunnels which have both been IPSEC’ed.
Tunnel 1 goes over serial interfaces S0/0 and tunnel 2 goes over S0/1 interfaces.
Vlan 100 traffic goes over tunnel 1 and vlan 20 traffic goes over tunnel 2. This keeps the traffic separate.
================================================================================================
hostname R1
!
pseudowire-class R1
encapsulation l2tpv3
ip local interface Tunnel1
!
pseudowire-class R11
encapsulation l2tpv3
ip local interface Tunnel2
!
!
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
lifetime 36700
!
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
lifetime 36700
crypto isakmp key cisco123 address 10.1.1.2
crypto isakmp key cisco123 address 10.1.1.6
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC
set transform-set TRANS
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
ip address 192.168.10.1 255.255.255.252
tunnel source 10.1.1.1
tunnel destination 10.1.1.2
tunnel protection ipsec profile IPSEC
!
interface Tunnel2
ip address 192.168.10.5 255.255.255.252
tunnel source 10.1.1.5
tunnel destination 10.1.1.6
tunnel protection ipsec profile IPSEC
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
no cdp enable
xconnect 192.168.10.2 16 encapsulation l2tpv3 pw-class R1
!
interface Serial0/0
ip address 10.1.1.1 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
no cdp enable
xconnect 192.168.10.6 17 encapsulation l2tpv3 pw-class R11
!
interface Serial0/1
ip address 10.1.1.5 255.255.255.252
clock rate 2000000
!
================================================================================================
hostname R2
!
pseudowire-class R2
encapsulation l2tpv3
ip local interface Tunnel1
!
pseudowire-class R22
encapsulation l2tpv3
ip local interface Tunnel2
!
!
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
lifetime 36700
!
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
lifetime 36700
crypto isakmp key cisco123 address 10.1.1.1
crypto isakmp key cisco123 address 10.1.1.5
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC
set transform-set TRANS
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
!
interface Tunnel1
ip address 192.168.10.2 255.255.255.252
tunnel source 10.1.1.2
tunnel destination 10.1.1.1
tunnel protection ipsec profile IPSEC
!
interface Tunnel2
ip address 192.168.10.6 255.255.255.252
tunnel source 10.1.1.6
tunnel destination 10.1.1.5
tunnel protection ipsec profile IPSEC
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
no cdp enable
xconnect 192.168.10.1 16 encapsulation l2tpv3 pw-class R2
!
interface Serial0/0
ip address 10.1.1.2 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
no cdp enable
xconnect 192.168.10.5 17 encapsulation l2tpv3 pw-class R22
!
interface Serial0/1
ip address 10.1.1.6 255.255.255.252
clock rate 2000000
!
Moving forward, I wish to use a Cisco ISR4331 router using the same configuartion. Unfortunately, I hit a snag. When I assign the xconnect command to the subinterface on the ISR4331, I cannot ping from 1 laptop to the other. The following commands all say that the tunnels are up and operational.
R1#show crypto isakmp sa
R1#show crypto ipsec sa
R1#show xconnect all
When i apply the xconnect command however to the physical interface, it works.
Am I missing something ?
