 |
| Topology |
Branch-LEFT
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 86000
crypto isakmp key Password address 192.168.2.1
!
!
crypto ipsec transform-set SCLabs-SET esp-aes 256
!
crypto map SCLabs-MAP 10 ipsec-isakmp
description -= IPSEC to 192.168.2.1 =-
set peer 192.168.2.1
set transform-set SCLabs-SET
match address 110
!
access-list 110 permit gre 192.168.1.0 0.0.0.3 192.168.2.0 0.0.0.3 log
access-list 110 permit udp 192.168.1.0 0.0.0.3 eq isakmp 192.168.2.0 0.0.0.3 log
access-list 110 deny ip any any log
!
!
interface Serial1/0
no sh
ip address 192.168.1.1 255.255.255.252
serial restart-delay 0
crypto map SCLabs-MAP
!
!
interface Loopback1
ip address 10.10.1.1 255.255.255.240
!
interface Loopback2
ip address 172.16.1.1 255.255.255.224
!
interface Loopback88
ip address 88.88.88.88 255.255.255.0
!
router eigrp 1
net 192.168.1.0
network 88.0.0.0
no au
!
! Because most devices have an MTU of 1500 bytes,
! reducing the GRE tunnel MTU will account for the added overhead
! and help prevent unnecessary packet fragmentation.
!
! http://www.firewall.cx/images/stories/gre-ipsec-tunnel-transport-1.gif
! ESP Overhead: 20 (IP Hdr) + 8 (ESP Hdr) + 8 (IV) + 4 (ESP Trailer) + 12 (ESP Auth) = 52 Bytes
! GRE Overhead: 20 (GRE IP Hdr) + 4 (GRE) = 24 Bytes
! Total Overhead: 52 + 24 = 76 Bytes
!
interface Tunnel0
ip mtu 1400
ip address 1.1.1.1 255.255.255.0
tunnel source 192.168.1.1
tunnel destination 192.168.2.1
!
!
router ospf 1
network 1.1.1.0 0.0.0.255 area 0
network 10.10.1.0 0.0.0.15 area 1
network 172.16.1.0 0.0.0.31 area 1
!
int loopback 1
ip ospf network point-to-point
int loopback 2
ip ospf network point-to-point
!
! Adjust ACLs
no access-list 110 deny ip any any log
access-list 110 permit gre 192.168.1.0 0.0.0.3 192.168.2.0 0.0.0.3 log
access-list 110 permit udp 192.168.1.0 0.0.0.3 eq isakmp 192.168.2.0 0.0.0.3 log
access-list 110 permit ip 10.10.1.0 0.0.0.15 any log
access-list 110 permit ip 172.16.1.0 0.0.0.31 any log
access-list 110 deny ip any any log
!
Branch-RIGHT
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 86000
crypto isakmp key Password address 192.168.1.1
!
!
crypto ipsec transform-set SCLabs-SET esp-aes 256
!
crypto map SCLabs-MAP 10 ipsec-isakmp
description -= IPSEC to 192.168.1.1 =-
set peer 192.168.1.1
set transform-set SCLabs-SET
match address 110
!
access-list 110 permit gre 192.168.2.0 0.0.0.3 192.168.1.0 0.0.0.3 log
access-list 110 permit udp 192.168.2.0 0.0.0.3 eq isakmp 192.168.1.0 0.0.0.3 log
access-list 110 deny ip any any log
!
!
interface Serial1/0
no sh
ip address 192.168.2.1 255.255.255.252
serial restart-delay 0
crypto map SCLabs-MAP
!
!
interface Loopback1
ip address 10.10.2.1 255.255.255.240
!
interface Loopback2
ip address 172.16.2.1 255.255.255.224
!
interface Loopback99
ip address 99.99.99.99 255.255.255.0
!
router eigrp 1
net 192.168.1.0
network 99.0.0.0
no au
!
router eigrp 1
net 192.168.2.0
no au
!
!
interface Tunnel0
ip mtu 1400
ip address 1.1.1.2 255.255.255.0
tunnel source 192.168.2.1
tunnel destination 192.168.1.1
!
!
router ospf 1
network 1.1.1.0 0.0.0.255 area 0
network 10.10.2.0 0.0.0.15 area 2
network 172.16.2.0 0.0.0.31 area 2
!
! Adjust ACLs
no access-list 110 deny ip any any log
access-list 110 permit gre 192.168.2.0 0.0.0.3 192.168.1.0 0.0.0.3 log
access-list 110 permit udp 192.168.2.0 0.0.0.3 eq isakmp 192.168.1.0 0.0.0.3 log
access-list 110 permit ip 10.10.2.0 0.0.0.15 any log
access-list 110 permit ip 172.16.2.0 0.0.0.31 any log
access-list 110 deny ip any any log
!
HQ-DR#
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
no sh
!
interface Serial1/0
no sh
ip address 192.168.1.2 255.255.255.252
!
router eigrp 1
network 10.0.0.0
network 192.168.1.0
no auto-summary
HQ-BDR#
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 192.168.2.2 255.255.255.252
serial restart-delay 0
!
router eigrp 1
network 10.0.0.0
network 192.168.2.0
no auto-summary
!
Verification
show crypto session
show crypto session detail
!
clear crypto isakmp
clear crypto sa