GRE via IPSEC

This lab shows us how to configure a conventional GRE tunnel over IPSEC. GRE is great for emulating a conventional P2P link and is often used in secondary connections via an ISP. This configuration is based on a LAB by the fantastic GNS3 Vault please check them out if you want a more detailed explanation of how to configure the below.

 




#####################
## INTERNET ##
#####################

int fa0/0
ip addr 192.168.12.2 255.255.255.0
no shut

int fa0/1
ip addr 192.168.23.2 255.255.255.0
no shut

router eigrp 1
network 192.168.12.0
network 192.168.23.0

#####################
## NYC ##
#####################

int fa0/0
ip addr 192.168.12.1 255.255.255.0
no shut

int lo1
 ip addr 1.1.1.1 255.255.255.0


router eigrp 1
network 192.168.12.0

router ospf 1
 network 192.168.13.0 0.0.0.255 area 0 
 network 1.1.1.0 0.0.0.255 area 0

crypto isakmp  policy 1
 encryption aes 256 
 authen pre-share
 hash sha
 group 5
 lifetime 3600

crypto isakmp key 0 PASSWORD address 192.168.23.3

crypto ipsec transform-set MYTRANS esp-aes 256 esp-sha-hmac

crypto map MYMAP 10 ipsec-isakmp 
set peer 192.168.23.3
match address 101
set transform-set MYTRANS

ip access-list ext 101
 permit gre host 192.168.12.1 host 192.168.23.3

int tunnel 10
 tunnel source fa0/0
 tunnel destination 192.168.23.3
 ip address 192.168.13.1 255.255.255.0

int fa0/0
 crypto map MYMAP 


#####################
## SAN FRAN ##
#####################

int fa0/0
 ip addr 192.168.23.3 255.255.255.0
no shut

int lo1
ip addr 3.3.3.3 255.255.255.0

router eigrp 1
network 192.168.23.0

router ospf 1
network 192.168.13.0 0.0.0.255 area 0
network 3.3.3.0 0.0.0.255 area 0

crypto isakmp  policy 1
 encryption aes 256 
 authen pre-share
 hash sha
 group 5
 lifetime 3600

crypto isakmp key 0 PASSWORD address 192.168.12.1

crypto ipsec transform-set MYTRANS esp-aes 256 esp-sha-hmac

crypto map MYMAP 10 ipsec-isakmp 
set peer 192.168.12.1
match address 101
set transform-set MYTRANS

ip access-list ext 101
 permit gre host 192.168.23.3 host 192.168.12.1

int tunnel 10
 tunnel source fa0/0
 tunnel dest 192.168.12.1
 ip address 192.168.13.2 255.255.255.0

int fa0/0
 crypto map MYMAP


Comments

Post a Comment

Popular posts from this blog

Image
VXLAN - GNS3 (VEOS \ IOU_L3)  Images:  Spine - IOU - i86bi_linux-adventerprisek9-ms.152-4.M1" Leaf -  vEOS - 4.13.16M-3213248.41316M.1   This was my first crack at configuring VXLAN i used a combination of vEOS and IOS because that is closest to what I run in my production environment. The actual vxlan configuration is very easy its more about making sure the underlying connectivity is in place. You can build the same lab in GNS3 using the CSR router and EIGRP which should be simpler (I had some issues with route summarization). The most important thing to confirm before starting on the vxlan configuration is that you have full reachability between all the loopbacks. Anyway it worked for me next step is doing this with EVPN. ################# ## SPINE-1 ## ################# conf t ## GENERAL ## hostname SPINE-1 ip multicast-routing ## INTERFACES ## int e0/1 ip addr 10.0.11.1 255.255.255.252 int e0/2 ip add...
Read more

Configure OSPF Juniper SRX

Quick page to remind me how to configure OSPF on SRX's as its been a while. ############# # R1 # ############# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/30 set interfaces ge-0/0/1 unit 0 family inet address 192.168.0.1/24 set interfaces lo0 unit 0 family inet address 1.1.1.1/32 set routing-options router-id 1.1.1.1 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services traceroute set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh set security zones security-zone TRUST interfaces ge-0/0/0.0 host-inbound-traffic protocols ospf set security zones security-zone TRUST address-book address BAML 159.5.153.0/24 set security zones security-zone TRUST host-inbound-traffic system-services all se...
Read more

Upgrading JUNOS via USB

I borrowed this guide from Juniper but keeping it here incase i cannot find it going forward. You need to have a fat32 or smaller than 4gb partitioned USB flash disk.  Enter the shell as root: user@switch> start shell user root Password: root@switch% Before inserting the USB device, perform the following: root@% ls /dev/da* /dev/da0 /dev/da0s1c /dev/da0s2a /dev/da0s3 /dev/da0s3e /dev/da0s1 /dev/da0s1f /dev/da0s2c /dev/da0s3c /dev/da0s1a /dev/da0s2 /dev/da0s2f /dev/da0s3d Insert the USB drive in the USB port. The following output will be displayed: root@% umass1: TOSHIBA TransMemory, rev 2.00/1.00, addr 3 da2 at umass-sim1 bus 1 target 0 lun 0 da2: <TOSHIBA TransMemory 5.00> Removable Direct Access SCSI-0 device da2: 40.000MB/s transfers da2: 983MB (2013184 512 byte sectors: 64H 32S/T 983C) root@% ls /dev/da* /dev/da0 /dev/da0s1c /dev/da0s2a /dev/da0s3 /dev/da0s3e /dev/da0s1 /dev/da0s1f /dev/da0s2c /dev/da0s3c /dev/da2 /dev/da0s1a /dev/da...
Read more