Pages

CCNP Route GNS3 Lab: OSPF over GRE over IPSec over EIGRP

Topology
Configuration
Branch-LEFT
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 86000
crypto isakmp key Password address 192.168.2.1
!
!
crypto ipsec transform-set SCLabs-SET esp-aes 256
!
crypto map SCLabs-MAP 10 ipsec-isakmp
 description -= IPSEC to 192.168.2.1 =-
 set peer 192.168.2.1
 set transform-set SCLabs-SET
 match address 110
!
access-list 110 permit gre 192.168.1.0 0.0.0.3 192.168.2.0 0.0.0.3 log
access-list 110 permit udp 192.168.1.0 0.0.0.3 eq isakmp 192.168.2.0 0.0.0.3 log
access-list 110 deny ip any any log
!
!
interface Serial1/0
no sh
 ip address 192.168.1.1 255.255.255.252
 serial restart-delay 0
 crypto map SCLabs-MAP
!
!
interface Loopback1
 ip address 10.10.1.1 255.255.255.240
!
interface Loopback2
 ip address 172.16.1.1 255.255.255.224
!
interface Loopback88
 ip address 88.88.88.88 255.255.255.0
!
router eigrp 1
net 192.168.1.0
network 88.0.0.0
no au
!


! Because most devices have an MTU of 1500 bytes,
! reducing the GRE tunnel MTU will account for the added overhead
! and help prevent unnecessary packet fragmentation.
!
! http://www.firewall.cx/images/stories/gre-ipsec-tunnel-transport-1.gif
! ESP Overhead:  20 (IP Hdr) + 8 (ESP Hdr) + 8 (IV) + 4 (ESP Trailer) + 12  (ESP Auth) = 52 Bytes
! GRE Overhead: 20 (GRE IP Hdr) + 4 (GRE) = 24 Bytes
! Total Overhead: 52 + 24 = 76 Bytes
!
interface Tunnel0
ip mtu 1400
 ip address 1.1.1.1 255.255.255.0
 tunnel source 192.168.1.1
 tunnel destination 192.168.2.1
!

!
router ospf 1
 network 1.1.1.0 0.0.0.255 area 0
 network 10.10.1.0 0.0.0.15 area 1
 network 172.16.1.0 0.0.0.31 area 1
!
int loopback 1
 ip ospf network point-to-point
int loopback 2
 ip ospf network point-to-point
!
! Adjust ACLs
no access-list 110 deny ip any any log
access-list 110 permit gre 192.168.1.0 0.0.0.3 192.168.2.0 0.0.0.3 log
access-list 110 permit udp 192.168.1.0 0.0.0.3 eq isakmp 192.168.2.0 0.0.0.3 log
access-list 110 permit ip 10.10.1.0 0.0.0.15 any log
access-list 110 permit ip 172.16.1.0 0.0.0.31 any log
access-list 110 deny ip any any log
!

Branch-RIGHT
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 86000
crypto isakmp key Password address 192.168.1.1
!
!
crypto ipsec transform-set SCLabs-SET esp-aes 256
!
crypto map SCLabs-MAP 10 ipsec-isakmp
 description -= IPSEC to 192.168.1.1 =-
 set peer 192.168.1.1
 set transform-set SCLabs-SET
 match address 110
!
access-list 110 permit gre 192.168.2.0 0.0.0.3 192.168.1.0 0.0.0.3 log
access-list 110 permit udp 192.168.2.0 0.0.0.3 eq isakmp 192.168.1.0 0.0.0.3 log
access-list 110 deny ip any any log
!
!
interface Serial1/0
no sh
 ip address 192.168.2.1 255.255.255.252
 serial restart-delay 0
 crypto map SCLabs-MAP
!
!
interface Loopback1
 ip address 10.10.2.1 255.255.255.240
!
interface Loopback2
 ip address 172.16.2.1 255.255.255.224
!
interface Loopback99
 ip address 99.99.99.99 255.255.255.0
!
router eigrp 1
net 192.168.1.0
network 99.0.0.0
no au
!
router eigrp 1
net 192.168.2.0
no au
!


!
interface Tunnel0
ip mtu 1400
 ip address 1.1.1.2 255.255.255.0
 tunnel source 192.168.2.1
 tunnel destination 192.168.1.1
!


!
router ospf 1
 network 1.1.1.0 0.0.0.255 area 0
 network 10.10.2.0 0.0.0.15 area 2
 network 172.16.2.0 0.0.0.31 area 2
!
! Adjust ACLs
no access-list 110 deny ip any any log
access-list 110 permit gre 192.168.2.0 0.0.0.3 192.168.1.0 0.0.0.3 log
access-list 110 permit udp 192.168.2.0 0.0.0.3 eq isakmp 192.168.1.0 0.0.0.3 log
access-list 110 permit ip 10.10.2.0 0.0.0.15 any log
access-list 110 permit ip 172.16.2.0 0.0.0.31 any log
access-list 110 deny ip any any log
!

HQ-DR#
!
interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 no sh
!
interface Serial1/0
 no sh
 ip address 192.168.1.2 255.255.255.252
!
router eigrp 1
 network 10.0.0.0
 network 192.168.1.0
 no auto-summary



HQ-BDR#
!
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 192.168.2.2 255.255.255.252
 serial restart-delay 0
!
router eigrp 1
 network 10.0.0.0
 network 192.168.2.0
 no auto-summary
!


Verification




show crypto session
show crypto session detail
!
clear crypto isakmp
clear crypto sa