cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Site-to-Site FlexVPN IOS router

793
Views
0
Helpful
0
Comments
meddane
Frequent Contributor

ISE.PNG

On R1, configure a key ring that defines the peer R3:

Address: 23.0.0.3

Local and remote pre-shared key: cisco

 

R1(config)#crypto ikev2 keyring KR

R1(config-ikev2-keyring)# peer R3

R1(config-ikev2-keyring-peer)# address 23.0.0.3

R1(config-ikev2-keyring-peer)# pre-shared-key local cisco

R1(config-ikev2-keyring-peer)# pre-shared-key remote cisco

 

On R3, configure a key ring that defines the peer R1:

Address: 12.0.0.1

Local and remote pre-shared key: cisco

 

R3(config)#crypto ikev2 keyring KR

R3(config-ikev2-keyring)# peer R1

R3(config-ikev2-keyring-peer)# address 12.0.0.1

R3(config-ikev2-keyring-peer)# pre-shared-key local cisco

R3(config-ikev2-keyring-peer)# pre-shared-key remote cisco

 

On R1, modify the smart default of the IKEv2 profile by setting these parameters:

 

Remote identity fqdn: site-R3.com

Local identity local fqdn: site-R1.com

Local and remote authentication: PSK

Keyring: KR (local)

 

R1(config)#crypto ikev2 profile default

IKEv2 profile MUST have:

  1. 1. A local and a remote authentication method.
  2. 2. A match identity or a match certificate statement.

R1(config-ikev2-profile)# match identity remote fqdn site-R3.com

R1(config-ikev2-profile)# identity local fqdn site-R1.com

R1(config-ikev2-profile)# authentication local pre-share

R1(config-ikev2-profile)# authentication remote pre-share

R1(config-ikev2-profile)# keyring local KR

 

On R3, modify the smart default of the IKEv2 profile by setting these parameters:

 

Remote identity fqdn: site-R1.com

Local identity local fqdn: site-R3.com

Local and remote authentication: PSK

Keyring: KR (local)

 

R3(config)#crypto ikev2 profile default

IKEv2 profile MUST have:

  1. 1. A local and a remote authentication method.
  2. 2. A match identity or a match certificate statement.

R3(config-ikev2-profile)# match identity remote fqdn site-R1.com

R3(config-ikev2-profile)# identity local fqdn site-R3.com

R3(config-ikev2-profile)# authentication local pre-share

R3(config-ikev2-profile)# authentication remote pre-share

R3(config-ikev2-profile)# keyring local KR

 

On R1 and R3, configure Tunnel 0 interface.

 

On R1, use the following parameters:

Tunnel IP address: 10.0.13.1

Tunnel source IP: 12.0.0.1

Tunnel destination IP: 23.0.0.3

Tunnel mode: IPsec IPv4

 

R1(config)#int tunnel 0

R1(config-if)# ip address 10.0.13.1 255.255.255.0

R1(config-if)# tunnel source 12.0.0.1

R1(config-if)# tunnel mode ipsec ipv4

R1(config-if)# tunnel destination 23.0.0.3

 

On R3, use the following parameters:

Tunnel IP address: 10.0.13.3

Tunnel source IP: 23.0.0.3

Tunnel destination IP: 12.0.0.1

Tunnel mode: IPsec IPv4

 

R3(config)#int tunnel 0

R3(config-if)# ip address 10.0.13.3 255.255.255.0

R3(config-if)# tunnel source 23.0.0.3

R3(config-if)# tunnel mode ipsec ipv4

R3(config-if)# tunnel destination 12.0.0.1

 

Configure the tunnel interface to use the default IPsec profile:

 

R1(config)#int tunnel 0

R1(config-if)# tunnel protection ipsec profile default

 

R3(config)#int tunnel 0

R3(config-if)# tunnel protection ipsec profile default

 

On R1 and R3, configure the Tunnel interface into OSPF area 0:

 

R1(config)#router ospf 1

R1(config-router)# net 10.0.13.0 0.0.0.255 area 0

R1(config-router)# net 192.168.1.0 0.0.0.255 area 0

 

R3(config)#router ospf 1

R3(config-router)# net 10.0.13.0 0.0.0.255 area 0

R3(config-router)# net 192.168.3.0 0.0.0.255 area 0

 

Verification:

 

On R1 and R2, verify that the IKEv2 SAs have been successfully negociated:

 

R1#show crypto ikev2 sa

 IPv4 Crypto IKEv2  SA

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

2         12.0.0.1/500          23.0.0.3/500          none/none            READY

      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/589 sec

 

 IPv6 Crypto IKEv2  SA

 

R1#

 

R3#show crypto ikev2 sa

 IPv4 Crypto IKEv2  SA

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

1         23.0.0.3/500          12.0.0.1/500          none/none            READY

      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/650 sec

 

 IPv6 Crypto IKEv2  SA

 

R3#

 

On R1 and R3, verify that the IPsec SAs have been successfully negociated. The IKEv2 SA must be successful for the IPsec SAs to come up:

 

R1#show crypto ipsec sa | s local|remote|pkts|transfo

    Crypto map tag: Tunnel0-head-0, local addr 12.0.0.1

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

    #pkts encaps: 67, #pkts encrypt: 67, #pkts digest: 67

    #pkts decaps: 59, #pkts decrypt: 59, #pkts verify: 59

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

     local crypto endpt.: 12.0.0.1, remote crypto endpt.: 23.0.0.3

        transform: esp-aes esp-sha-hmac ,

        transform: esp-aes esp-sha-hmac ,

 

R1#

 

On R1 and R3, verify the OSPF adjacency established through the tunnel, and optionally, other network connectivity. The negociation of the IKEv2 and IPsec SAs must be successfull before the tunnel can pass network traffic:

 

R1#show ip ospf nei

 

Neighbor ID     Pri   State           Dead Time   Address         Interface

192.168.3.3       0   FULL/  -        00:00:32    10.0.13.3       Tunnel0

R1#

 

R3#show ip ospf nei

 

Neighbor ID     Pri   State           Dead Time   Address         Interface

192.168.1.1       0   FULL/  -        00:00:32    10.0.13.1       Tunnel0

R3#

 

R1#show ip route ospf | beg Gate

Gateway of last resort is 12.0.0.2 to network 0.0.0.0

 

      192.168.3.0/32 is subnetted, 1 subnets

O        192.168.3.3 [110/1001] via 10.0.13.3, 00:03:43, Tunnel0

R1#

 

R3#show ip route ospf | beg Gate

Gateway of last resort is 23.0.0.2 to network 0.0.0.0

 

      192.168.1.0/32 is subnetted, 1 subnets

O        192.168.1.1 [110/1001] via 10.0.13.1, 00:04:26, Tunnel0

R3#

 

On R1 and R3, examine the smart defaults for the IPsec profile IKEv2, and IPsec transform set using the show crypto ipsec profile, show crypto ikev2 profile and show crypto ipsec transform-set commands. You should see that the default IPsec profile (applied to tunnel) references the default IKEv2 profile and the default tranform set:

 

R1#show crypto ipsec profile

IPSEC profile default

        IKEV2 profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

 

R1#

 

R1#show crypto ikev2 profile

 

IKEv2 profile: default

 Ref Count: 4

 Match criteria:

  Fvrf: global

  Local address/interface: none

  Identities:

   fqdn site-R3.com

  Certificate maps: none

 Local identity: fqdn site-R1.com

 Remote identity: none

 Local authentication method: pre-share

 Remote authentication method(s): pre-share

 EAP options: none

 Keyring: KR

 Trustpoint(s): none

 Lifetime: 86400 seconds

 DPD: disabled

 NAT-keepalive: disabled

 Ivrf: none

 Virtual-template: none

 AAA EAP authentication mlist: none

 AAA Accounting: none

 AAA group authorization: none

 AAA user authorization: none

R1#

 

R1#show crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

 

R1#

 

R3#show crypto ipsec profile

IPSEC profile default

        IKEV2 profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

 

R3#

 

R3#show crypto ikev2 profile

 

IKEv2 profile: default

 Ref Count: 4

 Match criteria:

  Fvrf: global

  Local address/interface: none

  Identities:

   fqdn site-R1.com

  Certificate maps: none

 Local identity: fqdn site-R3.com

 Remote identity: none

 Local authentication method: pre-share

 Remote authentication method(s): pre-share

 EAP options: none

 Keyring: KR

 Trustpoint(s): none

 Lifetime: 86400 seconds

 DPD: disabled

 NAT-keepalive: disabled

 Ivrf: none

 Virtual-template: none

 AAA EAP authentication mlist: none

 AAA Accounting: none

 AAA group authorization: none

 AAA user authorization: none

R3#

 

R3#show crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

 

R3#

 

On R1 and R3, verify that the actual negociated traffic protection parameters, displayed in the show crypto ipsec sa command match the default tranform set. The traffic protection with esp-aes/esp-sha-hmac can be found in the IPsec SAs in the inbound and outbound esp SAs.

 

R1#show crypto ipsec sa | i transform|inbou|outbou

     current outbound spi: 0xED10B73F(3977295679)

     inbound esp sas:

        transform: esp-aes esp-sha-hmac ,

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

        transform: esp-aes esp-sha-hmac ,

     outbound ah sas:

     outbound pcp sas:

R1#

 

On R1 and R3, examine the smart defaults for the IKEv2 policy and the IKEv2 proposal using appropriate show commands. You should see that the default IKEv2 policy references the default IKEv2 proposal:

 

R1#show crypto ikev2 policy

 

 IKEv2 policy : default

      Match fvrf : any

      Match address local : any

      Proposal    : default

R1#

 

R1#show crypto ikev2 proposal

 IKEv2 proposal: default

     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128

     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596

     PRF        : SHA512 SHA384 SHA256 SHA1 MD5

     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

R1#

 

On R1, verify that the actual negociated IKE protection parameters, displayed in the show crypto ikev2 sa command match the first proposals in the default proposal.

 

R1#show crypto ikev2 sa

 IPv4 Crypto IKEv2  SA

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

2         12.0.0.1/500          23.0.0.3/500          none/none            READY

      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/1611 sec

 

 IPv6 Crypto IKEv2  SA

 

R1#

 

R3#show crypto ikev2 policy

 

 IKEv2 policy : default

      Match fvrf : any

      Match address local : any

      Proposal    : default

R3#

 

R3#show crypto ikev2 proposal

 IKEv2 proposal: default

     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128

     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596

     PRF        : SHA512 SHA384 SHA256 SHA1 MD5

     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

R3#

 

On R3, verify that the actual negociated IKE protection parameters, displayed in the show crypto ikev2 sa command match the first proposals in the default proposal.

 

R3#show crypto ikev2 sa

 IPv4 Crypto IKEv2  SA

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

1         23.0.0.3/500          12.0.0.1/500          none/none            READY

      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/1513 sec

 

 IPv6 Crypto IKEv2  SA

 

R3#

 

Modify smart defaults to increase protection strength.

 

On R1 and R2, modify the default IKEv2 proposal to use a stronger Diffie-Hellman group, group 20. Use the following parameters:

 

For encryption: 256-bit CBC-mode AES

For integrity: SHA 512

For key exchange: DH group 20

 

R1(config)#crypto ikev2 proposal default

%Warning: This will Modify Default IKEv2 Proposal. Exit if you don't want

R1(config-ikev2-proposal)# encryption aes-cbc-256

R1(config-ikev2-proposal)# integrity sha512

R1(config-ikev2-proposal)# group 20

 

R3(config)#crypto ikev2 proposal default

%Warning: This will Modify Default IKEv2 Proposal. Exit if you don't want

R3(config-ikev2-proposal)# encryption aes-cbc-256

R3(config-ikev2-proposal)# integrity sha512

R3(config-ikev2-proposal)# group 20

 

On R1 and R3, modify the default transform set to use the Galois Counter Mode (GCM) encryption with key size of 256 bits:

 

R1(config)#crypto ipsec transform-set default esp-gcm 256

%Warning: Default transform set has been modified.

R1(cfg-crypto-trans)#

 

R3(config)#crypto ipsec transform-set default esp-gcm 256

%Warning: Default transform set has been modified.

R3(cfg-crypto-trans)#

 

On R1 and R3, modify the default IPsec profile to perform a Diffie-Hellman exchange with group 20 each time that the IKEv2 association times out (known as Perfect Forward Secrecy).

 

R1(config)#crypto ipsec profile default

%Warning: This will Modify Default IPSec Profile.Exit if you don't want

R1(ipsec-profile)# set pfs group20

 

R3(config)#crypto ipsec profile default

%Warning: This will Modify Default IPSec Profile.Exit if you don't want

R3(ipsec-profile)# set pfs group20

 

On R1, clear the IPsec SAs:

 

R1#clear crypto sa

 

On R1, examine the IKEv2 SAs. You should see that, in contrast to the previous attributes, a stronger DH exchange has been used to establish the SA:

 

R1#show crypto ikev2 sa

 IPv4 Crypto IKEv2  SA

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

1         12.0.0.1/500          23.0.0.3/500          none/none            READY

      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:20, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/7 sec

 

 IPv6 Crypto IKEv2  SA

 

R1#

 

On R1, examine the IPsec SAs. You should see that, in contrast to previous protection, GCM is used to secure the traffic:

 

R1#show crypto ipsec sa | i transform

        transform: esp-gcm 256 ,

        transform: esp-gcm 256 ,

R1#

 

Implement Point-to-Point FlexVPN whithout Smart Defaults.

 

Configure the point-to-point FlexVPN with the same protection strength, without the smart default. you will disable the smart default constructs.

 

On R1 , create a IKEv2 profile (CCNPS-IKEV2-PROFILE). Configure it identically to the default IKEv2 profile.

 

R1(config)#crypto ikev2 profile CCNPS-IKEV2-PROFILE

IKEv2 profile MUST have:

  1. 1. A local and a remote authentication method.
  2. 2. A match identity or a match certificate statement.

R1(config-ikev2-profile)# match identity remote fqdn site-R3.com

R1(config-ikev2-profile)# identity local fqdn site-R1.com

R1(config-ikev2-profile)# authentication local pre-share

R1(config-ikev2-profile)# authentication remote pre-share

R1(config-ikev2-profile)# keyring local KR

 

On R3 , create a IKEv2 profile (CCNPS-IKEV2-PROFILE). Configure it identically to the default IKEv2 profile.

 

R3(config)#crypto ikev2 profile CCNPS-IKEV2-PROFILE

IKEv2 profile MUST have:

  1. 1. A local and a remote authentication method.
  2. 2. A match identity or a match certificate statement.

R3(config-ikev2-profile)# match identity remote fqdn site-R1.com

R3(config-ikev2-profile)# identity local fqdn site-R3.com

R3(config-ikev2-profile)# authentication local pre-share

R3(config-ikev2-profile)# authentication remote pre-share

R3(config-ikev2-profile)# keyring local KR

 

On R1 and R3, create an IKEv2 proposal (CCNPS-IKEV2-PROPOSAL) with the strongest available encryption and integrity. Set the DH group to 20.

 

R1(config)#crypto ikev2 proposal CCNPS-IKEV2-PROPOSAL

R1(config-ikev2-proposal)# encryption aes-cbc-256

R1(config-ikev2-proposal)# integrity sha512

R1(config-ikev2-proposal)# group 20

 

R3(config)#crypto ikev2 proposal CCNPS-IKEV2-PROPOSAL

R3(config-ikev2-proposal)# encryption aes-cbc-256

R3(config-ikev2-proposal)# integrity sha512

R3(config-ikev2-proposal)# group 20

 

On R1 and R3, create an IKEv2 policy (CCNPS-IKEV2-POLICY) that references the custom proposal (CCNPS-IKEV2-PROPOSAL).

 

R1(config)#crypto ikev2 policy CCNPS-IKEV2-POLICY

R1(config-ikev2-policy)# proposal CCNPS-IKEV2-PROPOSAL

 

R3(config)#crypto ikev2 policy CCNPS-IKEV2-POLICY

R3(config-ikev2-policy)# proposal CCNPS-IKEV2-PROPOSAL

 

On R1 and R3, create an IPsec transform set (CCNPS-TS) that use the Galois Counter Mode (GCM with 256 bits key length.

 

R1(config)#crypto ipsec transform-set CCNPS-TS esp-gcm 256

 

R3(config)#crypto ipsec transform-set CCNPS-TS esp-gcm 256

 

On R1 and R3, create an IPsec profile (CCNPS-IPSEC-PROFILE) that uses PFS group 20, references the custom transform set (CCNPS-TS) and the custom IKEv2 profile (CCNPS-IKEV2-PROFILE).

 

R1(config)#crypto ipsec profile CCNPS-IPSEC-PROFILE

R1(ipsec-profile)# set pfs group20

R1(ipsec-profile)# set transform-set CCNPS-TS

R1(ipsec-profile)# set ikev2-profile CCNPS-IKEV2-PROFILE

 

R3(config)#crypto ipsec profile CCNPS-IPSEC-PROFILE

R3(ipsec-profile)# set pfs group20

R3(ipsec-profile)# set transform-set CCNPS-TS

R3(ipsec-profile)# set ikev2-profile CCNPS-IKEV2-PROFILE

 

On R1 and R3, apply the custom IPsec profile (CCNPS-IPSEC-PROFILE) to the tunnel interface.

 

R1(config)#int tunnel 0

R1(config-if)# tunnel protection ipsec profile CCNPS-IPSEC-PROFILE

 

R3(config)#int tunnel 0

R3(config-if)# tunnel protection ipsec profile CCNPS-IPSEC-PROFILE

 

On R1 and R3, delete the smart defaults:

 

default IPsec profile

default Ipsec transform set

Default IKEv2 policy

default IKEv2 proposal

Default IKEv2 profile

 

R1(config)#no crypto ipsec profile default

R1(config)#no cryp ipsec transform-set default

R1(config)#no crypto ikev2 policy default

R1(config)#no crypto ikev2 proposal default

R1(config)#no crypto ikev2 profile default

 

R3(config)#no crypto ipsec profile default

R3(config)#no cryp ipsec transform-set default

R3(config)#no crypto ikev2 policy default

R3(config)#no crypto ikev2 proposal default

R3(config)#no crypto ikev2 profile default

 

On R1, clear the IPsec SAs:

 

R1#clear crypto sa

 

On R1, examine the existing IPsec profile and the IKEv1 profile. Validate your custom configuration:

 

R1#show crypto ipsec profile

IPSEC profile CCNPS-IPSEC-PROFILE

        IKEV2 profile CCNPS-IKEV2-PROFILE

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): Y

        DH group:  group20

        Transform sets={

                CCNPS-TS:  { esp-gcm 256  } ,

        }

 

IPSec profile default: disabled

 

R1#

 

R1#show crypto ikev2 profile

 

IKEv2 profile: CCNPS-IKEV2-PROFILE

 Ref Count: 4

 Match criteria:

  Fvrf: global

  Local address/interface: none

  Identities:

   fqdn site-R3.com

  Certificate maps: none

 Local identity: fqdn site-R1.com

 Remote identity: none

 Local authentication method: pre-share

 Remote authentication method(s): pre-share

 EAP options: none

 Keyring: KR

 Trustpoint(s): none

 Lifetime: 86400 seconds

 DPD: disabled

 NAT-keepalive: disabled

 Ivrf: none

 Virtual-template: none

 AAA EAP authentication mlist: none

 AAA Accounting: none

 AAA group authorization: none

 AAA user authorization: none

R1#

 

On R1, examine the IKEv2 policy and the IKEv2 proposal. Validate your custom configuration:

 

R1#show crypto ikev2 policy

 

 IKEv2 policy : CCNPS-IKEV2-POLICY

      Match fvrf  : global

      Match address local : any

      Proposal    : CCNPS-IKEV2-PROPOSAL

 

 IKEv2 policy : default Disabled

R1#

 

R1#show crypto ikev2 proposal

 IKEv2 proposal: CCNPS-IKEV2-PROPOSAL

     Encryption : AES-CBC-256

     Integrity  : SHA512

     PRF        : SHA512

     DH Group   : DH_GROUP_384_ECP/Group 20

 IKEv2 proposal: default Disabled

R1#

 

Verify the IPsec SA on R1, and notice the statistics about packet encrypted and decrypted:

 

R1#show crypto ipsec sa | s local|remote|pkts

    Crypto map tag: Tunnel0-head-0, local addr 12.0.0.1

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

    #pkts encaps: 55, #pkts encrypt: 55, #pkts digest: 55

    #pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

     local crypto endpt.: 12.0.0.1, remote crypto endpt.: 23.0.0.3

 

R1#

 

Try to ping the network behind R3 from R1:

 

R1#ping 192.168.3.3 sou lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 156/190/240 ms

R1#

 

The IPsec SA shows that the number of encrypted and decrypted packet is increased:

 

R1#show crypto ipsec sa | s local|remote|pkts

    Crypto map tag: Tunnel0-head-0, local addr 12.0.0.1

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

    #pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60

    #pkts decaps: 59, #pkts decrypt: 59, #pkts verify: 59

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

     local crypto endpt.: 12.0.0.1, remote crypto endpt.: 23.0.0.3

 

R1#