Cisco ISR IPSEC to IPSEC (GNS3)



This is a basic  config for IPsec to IPsec tunneling between two cisco ISRs. I prefer to use GRE tunneling for Lan to Lan but this is commonly used when connecting to 3rd parties or where GRE tunneling is not available.



###############################
## NYC ##
###############################

conf t

router ospf 1
network 30.0.0.0 0.0.0.255 area 0
network 1.1.1.0 0.0.0.255 area 0

ip access-list ext 101
 permit icmp host 1.1.1.1 host 3.3.3.3


crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 1300

crypto isakmp key 0 vault address 40.0.0.1 

crypto ipsec security-association lifetime seconds 1800
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

crypto map MYMAP 10 ipsec-isakmp
 set peer 40.0.0.1
 set transform-set MYSET
 match address 101

int fa0/0
 ip addr 30.0.0.1 255.255.255.0
 crypto map MYMAP
 no shut

int lo1
ip addr 1.1.1.1 255.255.255.0


###############################
## SAN FRAN##
###############################

conf t

router ospf 1
network 40.0.0.0 0.0.0.255 area 0
network 3.3.3.0 0.0.0.255 area 0

ip access-list ext 101
permit icmp host 3.3.3.3 host 1.1.1.1

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 1300

crypto isakmp key 0 vault address 30.0.0.1 

crypto ipsec security-association lifetime seconds 1800
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

crypto map MYMAP 10 ipsec-isakmp
set peer 30.0.0.1
set transform-set MYSET
match address 101

int fa0/0
ip addr 40.0.0.1 255.255.255.0
crypto map MYMAP
no shut

int lo1
ip addr 3.3.3.3 255.255.255.0


###############################
## INTERNET ##
###############################

conf t

int fa0/0
ip addr 30.0.0.2 255.255.255.0
no shut

int fa0/1
ip addr 40.0.0.2 255.255.255.0
no shut

router ospf 1
network 30.0.0.0 0.0.0.255 area 0
network 40.0.0.0 0.0.0.255 area 0

###############################
## TESTING ##
###############################

## Ping from NY to SF ##
ping 3.3.3.3 source lo1

## Ping from SF to NY ##
ping 1.1.1.1 source lo1

## Debug commands ##
debug crypto isakmp 



Comments

Post a Comment

Popular posts from this blog

Image
VXLAN - GNS3 (VEOS \ IOU_L3)  Images:  Spine - IOU - i86bi_linux-adventerprisek9-ms.152-4.M1" Leaf -  vEOS - 4.13.16M-3213248.41316M.1   This was my first crack at configuring VXLAN i used a combination of vEOS and IOS because that is closest to what I run in my production environment. The actual vxlan configuration is very easy its more about making sure the underlying connectivity is in place. You can build the same lab in GNS3 using the CSR router and EIGRP which should be simpler (I had some issues with route summarization). The most important thing to confirm before starting on the vxlan configuration is that you have full reachability between all the loopbacks. Anyway it worked for me next step is doing this with EVPN. ################# ## SPINE-1 ## ################# conf t ## GENERAL ## hostname SPINE-1 ip multicast-routing ## INTERFACES ## int e0/1 ip addr 10.0.11.1 255.255.255.252 int e0/2 ip add...
Read more

Configure OSPF Juniper SRX

Quick page to remind me how to configure OSPF on SRX's as its been a while. ############# # R1 # ############# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/30 set interfaces ge-0/0/1 unit 0 family inet address 192.168.0.1/24 set interfaces lo0 unit 0 family inet address 1.1.1.1/32 set routing-options router-id 1.1.1.1 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services traceroute set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic protocols ospf set security zones security-zone TRUST address-book address BAML 159.5.153.0/24 set security zones security-zone TRUST host-inbound-traffic system-services all se...
Read more

Upgrading JUNOS via USB

I borrowed this guide from Juniper but keeping it here incase i cannot find it going forward. You need to have a fat32 or smaller than 4gb partitioned USB flash disk.  Enter the shell as root: user@switch> start shell user root Password: root@switch% Before inserting the USB device, perform the following: root@% ls /dev/da* /dev/da0 /dev/da0s1c /dev/da0s2a /dev/da0s3 /dev/da0s3e /dev/da0s1 /dev/da0s1f /dev/da0s2c /dev/da0s3c /dev/da0s1a /dev/da0s2 /dev/da0s2f /dev/da0s3d Insert the USB drive in the USB port. The following output will be displayed: root@% umass1: TOSHIBA TransMemory, rev 2.00/1.00, addr 3 da2 at umass-sim1 bus 1 target 0 lun 0 da2: <TOSHIBA TransMemory 5.00> Removable Direct Access SCSI-0 device da2: 40.000MB/s transfers da2: 983MB (2013184 512 byte sectors: 64H 32S/T 983C) root@% ls /dev/da* /dev/da0 /dev/da0s1c /dev/da0s2a /dev/da0s3 /dev/da0s3e /dev/da0s1 /dev/da0s1f /dev/da0s2c /dev/da0s3c /dev/da2 /dev/da0s1a /dev/da...
Read more