Lab3-7.net file for Dynamips:
##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 3.7 Configuring a Secure GRE Tunnel with the IOS CLI
# By Happy Peter http://blog.xuite.net/juilin77/happy
#
##################################################
autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab3-7/workingconfig
[[3640]]
# Specify 3640 IOS image on Windows here:
# image = C:\Program Files\Dynamips\images\c3640-jk9o3s-mz.123-14.T7.extracted.bin
# Specify 3640 IOS image on Linux here:
image = /opt/dynamips/images/c3640-jk.bin
ram = 128
disk0 = 0
disk1 = 0
# Choose an idlepc value from the below
idlepc = 0x605ac7b8
mmap = true
ghostios = true
confreg = 0x2102
###########################
#
# Define router instances 1
#
###########################
[[Router R1]]
model = 3640
console = 2001
slot0 = NM-1FE-TX
[[Router R2]]
model = 3640
console = 2002
slot0 = NM-1FE-TX
slot1 = NM-4T
F0/0 = R1 F0/0
S1/0 = R3 S0/0
[[Router R3]]
model = 3640
console = 2003
slot0 = NM-4T
Objective:
‧ Configure EIGRP on the routers
‧ Create a GRE tunnel between two routers
‧ Use IPsec to secure the GRE tunnel
Scenario:
In this lab, you will use the Cisco Command Line Interface (CLI) to configure a secure generic routing encapsulation (GRE) tunnel using IPsec.
Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
host R*
Step 1: Configure Addressing
R1:
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface fastEthernet 0/0
ip address 192.168.12.1 255.255.255.0
no shutdown
R2:
interface fastEthernet 0/0
ip address 192.168.12.2 255.255.255.0
no shutdown
!
interface Serial1/0
ip address 192.168.23.2 255.255.255.0
clock rate 64000
no shutdown
R3:
interface Loopback0
ip address 172.16.3.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.23.3 255.255.255.0
no shutdown
Step 2: Configure EIGRP AS1
R1
router eigrp 1
network 192.168.12.0
no auto-summary
R2
router eigrp 1
network 192.168.0.0 0.0.255.255
no auto-summary
R3:
router eigrp 1
network 192.168.23.0
no auto-summary
Step 3: Configure the GRE Tunnel
R1
interface Tunnel0
ip address 172.16.13.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 192.168.23.3
R3
interface Tunnel0
ip address 172.16.13.3 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.12.1
R1#ping 172.16.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
R3#ping 172.16.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
R3#
Step 4: Configure EIGRP AS 2 over the Tunnel
R1& R3:
router eigrp 2
network 172.16.0.0
no auto-summary
Step 5: Create IKE Policies and Peers
R1:
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.23.3
R3:
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.12.1
Step 6: Configure the IPsec Transform Sets
R1 & R3:
crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac ah-sha-hmac
Step 7: Define the Traffic to be Encrypted
R1:
access-list 101 permit gre host 192.168.12.1 host 192.168.23.3
R3:
access-list 101 permit gre host 192.168.23.3 host 192.168.12.1
Step 8: Create and Apply Crypto Maps
R1:
crypto map mymap 10 ipsec-isakmp
match address 101
set peer 192.168.23.3
set transform-set mytrans
!
interface fastEthernet 0/0
crypto map mymap
R3:
crypto map mymap 10 ipsec-isakmp
match address 101
set peer 192.168.12.1
set transform-set mytrans
!
interface serial 0/0
crypto map mymap
Step 9: Verify Crypto Operation
R1 & R3:
show crypto ipsec sa
show crypto map
Final Configurations
R1:
hostname R1
!
no ip domain lookup
!
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.23.3
!
!
crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 192.168.23.3
set transform-set mytrans
match address 101
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.13.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 192.168.23.3
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
crypto map mymap
no shutdown
!
router eigrp 1
network 192.168.12.0
no auto-summary
!
router eigrp 2
network 172.16.0.0
no auto-summary
!
!
access-list 101 permit gre host 192.168.12.1 host 192.168.23.3
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
R2:
hostname R2
!
no ip domain lookup
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
no shutdown
!
interface Serial1/0
ip address 192.168.23.2 255.255.255.0
clock rate 64000
no shutdown
!
router eigrp 1
network 192.168.0.0 0.0.255.255
no auto-summary
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
R3:
hostname R3
!
no ip domain lookup
!
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.12.1
!
crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set mytrans
match address 101
!
interface Loopback0
ip address 172.16.3.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.13.3 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.12.1
!
interface Serial0/0
ip address 192.168.23.3 255.255.255.0
crypto map mymap
no shutdown
!
router eigrp 1
network 192.168.23.0
no auto-summary
!
router eigrp 2
network 172.16.0.0
no auto-summary
!
access-list 101 permit gre host 192.168.23.3 host 192.168.12.1
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual
最初發表 / 最後更新: 2008.09.25 / 2018.06.11
0 comments:
張貼留言