What is FLEXVPN? How to configure FLEXVPN?

 

FlexVPN is a versatile VPN framework by Cisco that simplifies the configuration and deployment of various types of VPNs because Cisco supports various types of VPNs and many of them require different configurations to show verification commands. FlexVPN is designed to support site-to-site, hub-and-spoke, remote access, and other VPN configurations but The only VPN type that FlexVPN doesn’t cover is GETVPN.

 

Here are some key points about FlexVPN:

Based on IKEv2: FlexVPN utilizes the Internet Key Exchange version 2 (IKEv2) protocol for all its VPN types, which offers improved security and features over IKEv1.

Smart Defaults: It employs smart defaults based on best practices, minimizing the required configuration efforts.

Unified Solution: FlexVPN is a unified solution that covers all VPN types except Group Encrypted Transport VPN (GETVPN), making it easier to manage and operate.

Supports Various Authentication Methods: It supports certificates, pre-shared keys (PSKs), and Extensible Authentication Protocol (EAP) authentication methods.

Deployment Flexibility: FlexVPN can be deployed over public internet or private MPLS VPN networks and is designed for both site-to-site and remote access VPNs.

Failover Redundancy: It offers different redundancy models, including dynamic routing protocols over VPN tunnels and IKEv2-based server clustering.

 

Smart default is a pre-defined value this feature helps us to minimize the configuration and make it easy to configure VPN. For example, when we  configure IPsec VPN with IKEv2, we have to configure the following items

• IKEv2 proposal
• IKEv2 policy
• IKEv2 profile
• IKEv2 keyring
• IPsec transform-set
• IPsec profile

These items we have to configure for IPsec VPN with IKEv2. But with smart default, we use pre-defined values and we have to configure only two items:

• IKEv2 profile 
• IKEv2 policy 

We do not have to configure the proposal, policy, transform-set, and IPsec profile.

Let’s see the configuration for a better understanding: 

Topology: In this topology, we have a head office router-1 and branch sites a,b,c,d, and e routers. head office router is a hub router and the rest of the routers are spokes and router 2 acts as an internet. our task is to configure the IPsec VPN tunnel and all the data will be encrypted.

Goal:

• configure the topology as per the diagram 
• configure the IP addresses as per the topology
• configure a default route on routers 1,3,4,5,6, and 7
• configure static routes on the internet router
• configure crypto keyring
• configure crypto IPsec profile
• configure virtual template on router 1 (head office)
• configure tunnel on spokes routers
• configure EIGRP and advertise LAN and Loopback interfaces on hub and spokes routers
• verify the configuration with show commands

Head-office#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        192.168.10.1    YES NVRAM  up                    up

Serial3/0                   192.168.12.1    YES NVRAM  up                    up

Loopback0              192.168.111.1   YES NVRAM  up                    up

INTERNET#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

Serial3/0              192.168.12.2    YES NVRAM  up                    up

Serial3/1              192.168.23.2    YES NVRAM  up                    up

Serial3/2              192.168.24.2    YES NVRAM  up                    up

Serial3/3              192.168.25.2    YES NVRAM  up                    up

Serial3/4              192.168.26.2    YES NVRAM  up                    up

Serial3/5              192.168.27.2    YES NVRAM  up                    up

Branch-A#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.30.1    YES NVRAM  up                    up
Serial3/1                  192.168.23.1    YES NVRAM  up                    up

Loopback0              192.168.133.1   YES NVRAM  up                    up

Branch-B#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        192.168.40.1    YES NVRAM  up                    up

Serial3/2                  192.168.24.1    YES NVRAM  up                    up

Loopback0              192.168.144.1   YES NVRAM  up                    up

Branch-C#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.50.1    YES NVRAM  up                    up
Serial3/3                   192.168.25.1    YES NVRAM  up                    up
Loopback0              192.168.155.1   YES NVRAM  up                    up

Branch-D#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.60.1    YES NVRAM  up                    up
Serial3/4              192.168.26.1    YES NVRAM  up                    up
Loopback0              192.168.166.1   YES NVRAM  up                    up

Branch-E#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.70.1    YES NVRAM  up                    up
Serial3/5                  192.168.27.1    YES NVRAM  up                    up
Loopback0              192.168.177.1   YES NVRAM  up                    up

Head-office#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Serial3/0

INTERNET#show ip route static
Gateway of last resort is not set
S     192.168.10.0/24 is directly connected, Serial3/0
S     192.168.30.0/24 is directly connected, Serial3/1
S     192.168.40.0/24 is directly connected, Serial3/2
S     192.168.50.0/24 is directly connected, Serial3/3
S     192.168.60.0/24 is directly connected, Serial3/4
S     192.168.70.0/24 is directly connected, Serial3/5

Branch-A#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Serial3/1

Branch-B#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Serial3/2

Branch-C#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*    0.0.0.0/0 is directly connected, Serial3/3

Branch-D#show ip route static
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S*    0.0.0.0/0 is directly connected, Serial3/4

Branch-E#show ip route static

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Serial3/5

Head-office(config)#crypto ikev2 keyring IKEV2-KEYRING
Head-office(config-ikev2-keyring)#Peer Branch-A
Head-office(config-ikev2-keyring-peer)#address 192.168.23.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-B
Head-office(config-ikev2-keyring-peer)#address 192.168.24.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-C
Head-office(config-ikev2-keyring-peer)#address 192.168.25.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-D
Head-office(config-ikev2-keyring-peer)#address 192.168.26.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#Peer Branch-E
Head-office(config-ikev2-keyring-peer)#address 192.168.27.1
Head-office(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Head-office(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Head-office(config-ikev2-keyring-peer)#exit
Head-office(config-ikev2-keyring)#exit


Head-office(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Head-office(config-ikev2-profile)#match identity remote  address 192.168.23.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote  address 192.168.24.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.25.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote address 192.168.26.1 255.255.255.0
Head-office(config-ikev2-profile)#match identity remote  address 192.168.27.1 255.255.255.0

Head-office(config-ikev2-profile)#authentication remote pre-share
Head-office(config-ikev2-profile)#authentication local pre-share
Head-office(config-ikev2-profile)#keyring local IKEV2-KEYRING
Head-office(config-ikev2-profile)#virtual-template 1
Head-office(config-ikev2-profile)#exit
Head-office(config)#exit

Head-office(config)#crypto ipsec profile IPSEC-PROFILE
Head-office(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Head-office(ipsec-profile)#exit

Head-office#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE
 Ref Count: 13
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.23.1 255.255.255.0
   address 192.168.24.1 255.255.255.0
   address 192.168.25.1 255.255.255.0
   address 192.168.26.1 255.255.255.0
   address 192.168.27.1 255.255.255.0
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: 1
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none

Head-office#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
        IKEV2 profile IKEV2-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }
IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }

Branch-A(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-A(config-ikev2-keyring)#Peer Head-office
Branch-A(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-A(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-A(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-A(config-ikev2-keyring-peer)#exit
Branch-A(config-ikev2-keyring)#exit

Branch-A(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-A(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255

Branch-A(config-ikev2-profile)#authentication remote pre-share
Branch-A(config-ikev2-profile)#authentication local pre-share
Branch-A(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-A(config-ikev2-profile)#exit

Branch-A(config)#crypto ipsec profile IPSEC-PROFILE
Branch-A(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-A(ipsec-profile)#exit

Branch-A#show crypto ikev2 profile
IKEv2 profile: IKEV2-PROFILE
 Ref Count: 4
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.12.1 255.255.255.255
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none
Branch-A#
Branch-A#show crypto ipsec profile
IPSEC profile IPSEC-PROFILE
        IKEV2 profile IKEV2-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }
IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }

Branch-B(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-B(config-ikev2-keyring)#Peer Head-office
Branch-B(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-B(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-B(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-B(config-ikev2-keyring-peer)#exit
Branch-B(config-ikev2-keyring)#exit

Branch-B(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-B(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255

Branch-B(config-ikev2-profile)#authentication remote pre-share
Branch-B(config-ikev2-profile)#authentication local pre-share
Branch-B(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-B(config-ikev2-profile)#exit

Branch-B(config)#crypto ipsec profile IPSEC-PROFILE
Branch-B(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-B(ipsec-profile)#exit

Branch-B#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE

 Ref Count: 4

 Match criteria:

  Fvrf: global

  Local address/interface: none

  Identities:

   address 192.168.12.1 255.255.255.255

  Certificate maps: none

 Local identity: none

 Remote identity: none

 Local authentication method: pre-share

 Remote authentication method(s): pre-share

 EAP options: none

 Keyring: IKEV2-KEYRING

 Trustpoint(s): none

 Lifetime: 86400 seconds

 DPD: disabled

 NAT-keepalive: disabled

 Ivrf: none

 Virtual-template: none

 AAA EAP authentication mlist: none

 AAA Accounting: none

 AAA group authorization: none

 AAA user authorization: none

Branch-B#show crypto ipsec profile

IPSEC profile IPSEC-PROFILE

        IKEV2 profile IKEV2-PROFILE

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

Branch-C(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-C(config-ikev2-keyring)#Peer Head-office
Branch-C(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-C(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-C(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-C(config-ikev2-keyring-peer)#exit
Branch-C(config-ikev2-keyring)#exit

Branch-C(config)#crypto ikev2 profile IKEV2-PROFILE
Branch-C(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255
Branch-C(config-ikev2-profile)#authentication remote pre-share
Branch-C(config-ikev2-profile)#authentication local pre-share
Branch-C(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-C(config-ikev2-profile)#exit

Branch-C(config)#crypto ipsec profile IPSEC-PROFILE
Branch-C(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-C(ipsec-profile)#exit

Branch-C#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE

 Ref Count: 4

 Match criteria:

  Fvrf: global

  Local address/interface: none

  Identities:

   address 192.168.12.1 255.255.255.255

  Certificate maps: none

 Local identity: none

 Remote identity: none

 Local authentication method: pre-share

 Remote authentication method(s): pre-share

 EAP options: none

 Keyring: IKEV2-KEYRING

 Trustpoint(s): none

 Lifetime: 86400 seconds

 DPD: disabled

 NAT-keepalive: disabled

 Ivrf: none

 Virtual-template: none

 AAA EAP authentication mlist: none

 AAA Accounting: none

 AAA group authorization: none

 AAA user authorization: none

Branch-C#show crypto ipsec profile

IPSEC profile IPSEC-PROFILE

        IKEV2 profile IKEV2-PROFILE

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

Branch-D(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-D(config-ikev2-keyring)#Peer Head-office
Branch-D(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-D(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-D(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-D(config-ikev2-keyring-peer)#exit
Branch-D(config-ikev2-keyring)#exit

Branch-D(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-D(config-ikev2-profile)#match identity remote address 192.168.12.1 

Branch-D(config-ikev2-profile)#authentication remote pre-share
Branch-D(config-ikev2-profile)#authentication local pre-share
Branch-D(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-D(config-ikev2-profile)#exit

Branch-D(config)#crypto ipsec profile IPSEC-PROFILE
Branch-D(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-D(ipsec-profile)#exit

Branch-D#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE

 Ref Count: 4

 Match criteria:

  Fvrf: global

  Local address/interface: none

  Identities:

   address 192.168.12.1 255.255.255.255

  Certificate maps: none

 Local identity: none

 Remote identity: none

 Local authentication method: pre-share

 Remote authentication method(s): pre-share

 EAP options: none

 Keyring: IKEV2-KEYRING

 Trustpoint(s): none

 Lifetime: 86400 seconds

 DPD: disabled

 NAT-keepalive: disabled

 Ivrf: none

 Virtual-template: none

 AAA EAP authentication mlist: none

 AAA Accounting: none

 AAA group authorization: none

 AAA user authorization: none

Branch-D#show crypto ipsec profile

IPSEC profile IPSEC-PROFILE

        IKEV2 profile IKEV2-PROFILE

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

Branch-E(config)#crypto ikev2 keyring IKEV2-KEYRING
Branch-E(config-ikev2-keyring)#Peer Head-office
Branch-E(config-ikev2-keyring-peer)#address 192.168.12.1
Branch-E(config-ikev2-keyring-peer)#Pre-shared-key local INTERNET
Branch-E(config-ikev2-keyring-peer)#Pre-shared-key remote INTERNET
Branch-E(config-ikev2-keyring-peer)#exit
Branch-E(config-ikev2-keyring)#exit
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#
Branch-E(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.
Branch-E(config-ikev2-profile)#match identity remote address 192.168.12.1 255.255.255.255

Branch-E(config-ikev2-profile)#authentication remote pre-share
Branch-E(config-ikev2-profile)#authentication local pre-share
Branch-E(config-ikev2-profile)#keyring local IKEV2-KEYRING
Branch-E(config-ikev2-profile)#exit

Branch-E(config)#crypto ipsec profile IPSEC-PROFILE
Branch-E(ipsec-profile)#set ikev2-profile IKEV2-PROFILE
Branch-E(ipsec-profile)#exit

Branch-E#show crypto ikev2 profile

IKEv2 profile: IKEV2-PROFILE

 Ref Count: 4

 Match criteria:

  Fvrf: global

  Local address/interface: none

  Identities:

   address 192.168.12.1 255.255.255.255

  Certificate maps: none

 Local identity: none

 Remote identity: none

 Local authentication method: pre-share

 Remote authentication method(s): pre-share

 EAP options: none

 Keyring: IKEV2-KEYRING

 Trustpoint(s): none

 Lifetime: 86400 seconds

 DPD: disabled

 NAT-keepalive: disabled

 Ivrf: none

 Virtual-template: none

 AAA EAP authentication mlist: none

 AAA Accounting: none

 AAA group authorization: none

 AAA user authorization: none

Branch-E#show crypto ipsec profile

IPSEC profile IPSEC-PROFILE

        IKEV2 profile IKEV2-PROFILE

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

Head-office(config)#interface virtual-template 1 type tunnel
Head-office(config-if)#tunnel source 192.168.12.1
Head-office(config-if)#tunnel destination dynamic
Head-office(config-if)#ip unnumbered loopback 0
Head-office(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Head-office(config-if)#exit
Head-office(config)#exit
 
Head-office(config)#router eigrp 100
Head-office(config-router)#network 192.168.10.0
Head-office(config-router)#network 192.168.111.0
Head-office(config-router)#no auto-summary
Head-office(config-router)#exit

*Apr 10 14:57:22.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Apr 10 14:57:31.867: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.133.1 (Virtual-Access1) is up: new adjacency
*Apr 10 14:58:56.463: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Apr 10 14:59:36.675: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.144.1 (Virtual-Access2) is up: new adjacency
*Apr 10 15:02:28.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up

*Apr 10 15:05:55.379: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.155.1 (Virtual-Access5) is up: new adjacency

*Apr 10 15:05:54.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to up
*Apr 10 15:02:31.851: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.166.1 (Virtual-Access3) is up: new adjacency
*Apr 10 15:03:40.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to up
*Apr 10 15:03:43.507: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.177.1 (Virtual-Access4) is up: new adjacency


Branch-A(config)#interface tunnel 0
Branch-A(config-if)#tunnel source 192.168.23.1
Branch-A(config-if)#tunnel destination 192.168.12.1
Branch-A(config-if)#ip unnumbered loopback 0
Branch-A(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-A(config-if)#exit

Branch-A(config)#router eigrp 100
Branch-A(config-router)#network 192.168.30.0
Branch-A(config-router)#network 192.168.133.0
Branch-A(config-router)#no auto-summary
Branch-A(config-router)#exit

*Apr 10 14:57:20.287: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 14:57:20.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 14:57:31.571: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency

Branch-B(config)#interface tunnel 0
Branch-B(config-if)#tunnel source 192.168.24.1
Branch-B(config-if)#tunnel destination 192.168.12.1
Branch-B(config-if)#ip unnumbered loopback 0
Branch-B(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-B(config-if)#exit

Branch-B(config)#router eigrp 100
Branch-B(config-router)#network 192.168.40.1
Branch-B(config-router)#network 192.168.144.1
Branch-B(config-router)#no auto-summary
Branch-B(config-router)#exit

*Apr 10 14:58:55.003: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 14:58:55.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 14:59:36.727: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency


Branch-C(config)#interface tunnel 0
Branch-C(config-if)#tunnel source 192.168.25.1
Branch-C(config-if)#tunnel destination 192.168.12.1
Branch-C(config-if)#ip unnumbered loopback 0
Branch-C(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-C(config-if)#exit

Branch-C(config)#router eigrp 100
Branch-C(config-router)#network 192.168.50.1
Branch-C(config-router)#network 192.168.155.1
Branch-C(config-router)#no auto-summary
Branch-C(config-router)#exit

*Apr 10 15:05:55.467: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency

Branch-D(config)#interface tunnel 0
Branch-D(config-if)#tunnel source 192.168.26.1
Branch-D(config-if)#tunnel destination 192.168.12.1
Branch-D(config-if)#ip unnumbered loopback 0
Branch-D(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-D(config-if)#exit

Branch-D(config)#router eigrp 100
Branch-D(config-router)#network 192.168.60.1
Branch-D(config-router)#network 192.168.166.1
Branch-D(config-router)#no auto-summary
Branch-D(config-router)#exit

*Apr 10 15:02:26.987: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 15:02:27.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr 10 15:02:31.799: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency


Branch-E(config)#interface tunnel 0
Branch-E(config-if)#tunnel source 192.168.27.1
Branch-E(config-if)#tunnel destination 192.168.12.1
Branch-E(config-if)#ip unnumbered loopback 0
Branch-E(config-if)#tunnel protection ipsec profile IPSEC-PROFILE
Branch-E(config-if)#exit

Branch-E(config)#router eigrp 100
Branch-E(config-router)#network 192.168.70.1
Branch-E(config-router)#network 192.168.177.1
Branch-E(config-router)#no auto-summary
Branch-E(config-router)#exit

*Apr 10 15:03:38.223: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Apr 10 15:03:38.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up


Head-office#traceroute 192.168.70.1
Type escape sequence to abort.
Tracing the route to 192.168.70.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.177.1 120 msec 68 msec 68 msec

Head-office#traceroute 192.168.60.1
Type escape sequence to abort.
Tracing the route to 192.168.60.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.166.1 64 msec 72 msec 64 msec

Head-office#traceroute 192.168.40.1
Type escape sequence to abort.
Tracing the route to 192.168.40.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.144.1 56 msec 68 msec 56 msec

Head-office#traceroute 192.168.30.1
Type escape sequence to abort.
Tracing the route to 192.168.30.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.133.1 80 msec 64 msec 56 msec

 

Head-office#show crypto ipsec sa
interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 192.168.12.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.23.1/255.255.255.255/47/0)
   current_peer 192.168.23.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 981, #pkts encrypt: 981, #pkts digest: 981
    #pkts decaps: 979, #pkts decrypt: 979, #pkts verify: 979
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
     current outbound spi: 0xC7D9A838(3352930360)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x91CBD49D(2446054557)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 12, flow_id: 12, sibling_flags 80000000, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4224607/2559)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xC7D9A838(3352930360)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 11, flow_id: 11, sibling_flags 80000000, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4224608/2559)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:
interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 192.168.12.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.24.1/255.255.255.255/47/0)
   current_peer 192.168.24.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 957, #pkts encrypt: 957, #pkts digest: 957
    #pkts decaps: 953, #pkts decrypt: 953, #pkts verify: 953
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.24.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
     current outbound spi: 0x2D7CE225(763159077)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x90E4AB46(2430905158)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 14, flow_id: 14, sibling_flags 80000000, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4328889/2658)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x2D7CE225(763159077)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 13, flow_id: 13, sibling_flags 80000000, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4328889/2658)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:
interface: Virtual-Access3
    Crypto map tag: Virtual-Access3-head-0, local addr 192.168.12.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.26.1/255.255.255.255/47/0)
   current_peer 192.168.26.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 910, #pkts encrypt: 910, #pkts digest: 910
    #pkts decaps: 912, #pkts decrypt: 912, #pkts verify: 912
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.26.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
     current outbound spi: 0xC59185C3(3314648515)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x6584E4BE(1703208126)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 15, flow_id: 15, sibling_flags 80000000, crypto map: Virtual-Access3-head-0
        sa timing: remaining key lifetime (k/sec): (4330964/2932)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xC59185C3(3314648515)

 

Head-office#show crypto ikev2 stats
--------------------------------------------------------------------------------
                          Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit:   0        Max IKEv2 SAs: 0        Max in nego: 40
Total IKEv2 SA Count:    5        active:        5        negotiating: 0
Incoming IKEv2 Requests: 5        accepted:      5        rejected:    0
Outgoing IKEv2 Requests: 0        accepted:      0        rejected:    0
Rejected IKEv2 Requests: 0        rsrc low:      0        SA limit:    0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
    accepted: 0        rejected: 0        rejected no cookie: 0

Head-office#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol

Loopback0              192.168.111.1   YES NVRAM  up                    up
Virtual-Access1        192.168.111.1   YES unset  up                    up
Virtual-Access2        192.168.111.1   YES unset  up                    up
Virtual-Access3        192.168.111.1   YES unset  up                    up
Virtual-Access4        192.168.111.1   YES unset  up                    up
Virtual-Access5        192.168.111.1   YES unset  up                    up
Virtual-Template1      192.168.111.1   YES unset  up                    down

Head-office#show interface virtual-access 1

Virtual-A 192.168.111.1) ccess1 is up, line protocol is up

  Hardware is Virtual Access interface

  Interface is unnumbered. Using address of Loopback0 (192.168.111.1)

  MTU 17874 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL

  Tunnel vaccess, cloned from Virtual-Template1

  Vaccess status 0x0, loopback not set

  Keepalive not set

  Tunnel source 192.168.12.1, destination 192.168.23.1

  Tunnel protocol/transport GRE/IP

    Key disabled, sequencing disabled

    Checksumming of packets disabled

  Tunnel TTL 255, Fast tunneling enabled

  Tunnel transport MTU 1434 bytes

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Tunnel protection via IPSec (profile "IPSEC-PROFILE")

  Last input 00:00:03, output never, output hang never

  Last clearing of "show interface" counters 01:17:48

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/0 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     1029 packets input, 86718 bytes, 0 no buffer

     Received 0 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     1031 packets output, 86614 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 output buffer failures, 0 output buffers swapped out

Head-office#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA
Tunnel-id Local                 Remote                fvrf/ivrf            Status
4         192.168.12.1/500      192.168.27.1/500      none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4043 sec
Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         192.168.12.1/500      192.168.24.1/500      none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4327 sec
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         192.168.12.1/500      192.168.23.1/500      none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4421 sec
Tunnel-id Local                 Remote                fvrf/ivrf            Status
3         192.168.12.1/500      192.168.26.1/500      none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4115 sec
Tunnel-id Local                 Remote                fvrf/ivrf            Status
5         192.168.12.1/500      192.168.25.1/500      none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/3908 sec
 IPv6 Crypto IKEv2  SA

Read More

How to configure IPsec on GRE Dynamic Virtual-Template interface?

 

Generic Routing Encapsulation (GRE) is a network tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network. GRE tunnels also allow unicast, multicast, and broadcast traffic between routers but there is a problem with GRE tunnels it is clear text and GRE needs to provide better-grade protection. However, we can encrypt the complete GRE tunnel with IPsec security which provides good-grade security. we already configure IPsec with GRE click here. but in this blog, we will configure an IPsec with a Dynamic Virtual-Template interface.

VTI does the same job that GRE with IPsec does. They both encrypt the tunnel with IPsec. VTI removed the additional 4 bytes GRE header, thus reducing the bandwidth for sending encrypted data. VTI allows the configuration of ACL, NAT, and QoS. remember the default mode for a tunnel is GRE you have to define the mode IPsec IPv4 to configure the SVTI tunnel. 

let's see the configuration- in this topology, we have head office router 1 and branch routers 3 and 4. Router 2 is acting as an internet. 

Topology:-

Goal: is to make sure all the traffic is encrypted with IPsec 

1. Configure the topology as per the diagram 
2. Configure the IP addresses as per the topology
3. Configure default route on head office and branch routers
4. Configure crypto ISAKMP policy
5. Configure crypto keyring
6. Configure crypto ISAKMP profile
7.  Configure crypto IPsec transform-set
8. Configure crypto IPsec Profile
9. Configure dynamic virtual-template 1 type tunnel
10. Configure EIGRP 100
11. Configure tunnel 0 on branches.
12. Apply the IPsec protection on the virtual tunnel 
13. make sure all the traffic is encrypted 
14. verify the configuration with show commands and ping + trace

R1(config)#interface serial 3/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit

R1(config)#interface loopback 0
R1(config-if)#ip address  192.168.111.1 255.255.255.0
R1(config-if)#exit

 
R2(config)#interface serial 3/0
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 3/1
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 3/2
R2(config-if)#ip address 192.168.24.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
 

 
R3(config)#interface serial 3/1
R3(config-if)#ip address 192.168.23.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit

R3(config)#interface loopback 0
R3(config-if)#ip address  192.168.133.1 255.255.255.0
R3(config-if)#exit
 

 
R4(config)#interface serial 3/2
R4(config-if)#ip address 192.168.24.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface fastethernet 0/0
R4(config-if)#ip address 192.168.40.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R4(config)#interface loopback 0
R4(config-if)#ip address  192.168.144.1 255.255.255.0
R4(config-if)#exit

 
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 3/0

R2(config)#ip route 192.168.10.0 255.255.255.0 serial 3/0
R2(config)#ip route 192.168.30.0 255.255.255.0 serial 3/1
R2(config)#ip route 192.168.40.0 255.255.255.0 serial 3/2
 
R3(config)#ip route 0.0.0.0 0.0.0.0 serial 3/1

R4(config)#ip route 0.0.0.0 0.0.0.0 serial 3/2
 
R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.10.1    YES manual up                    up
Serial3/0              192.168.12.1    YES manual up                    up
Loopback0              192.168.111.1   YES manual up                    up
 
 
R2#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Serial3/0              192.168.12.2    YES manual up                    up
Serial3/1              192.168.23.2    YES manual up                    up
Serial3/2              192.168.24.2    YES manual up                    up
 
R3#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.30.1    YES manual up                    up
Serial3/1              192.168.23.1    YES manual up                    up
Loopback0              192.168.133.1   YES manual up                    up
 
R4#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.40.1    YES manual up                    up
Serial3/2              192.168.24.1    YES manual up                    up
Loopback0              192.168.144.1   YES manual up                    up

R1(config)#crypto isakmp policy 11
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 14
R1(config-isakmp)#hash sha256
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#exit

R1(config)#crypto keyring DVTI-KEYRING
R1(conf-keyring)#pre-shared-key address 192.168.23.1 key INTERNET
R1(conf-keyring)#pre-shared-key address 192.168.24.1 key INTERNET
R1(conf-keyring)#exit

R1(config)#crypto isakmp profile DVTI-ISAKMP
% A profile is deemed incomplete until it has match identity statements
R1(conf-isa-prof)#keyring DVTI-KEYRING
R1(conf-isa-prof)#match identity address 192.168.23.1
R1(conf-isa-prof)#match identity address 192.168.24.1
R1(conf-isa-prof)#virtual-template 1
R1(conf-isa-prof)#exit

R1(config)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit

R1(config)#crypto ipsec profile DVTI-IPSEC
R1(ipsec-profile)#set transform-set TRANS-SET
R1(ipsec-profile)#exit

R1#show crypto isakmp profile
 
IKEv1 PROFILE DVTI-ISAKMP
Ref Count = 5
   Identities matched are:
    ip-address 192.168.23.1 255.255.255.255
    ip-address 192.168.24.1 255.255.255.255
   Certificate maps matched are:
   keyring(s): DVTI-KEYRING
   trustpoint(s): <all>

   virtual-template: 1

 
R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
 
Transform set TRANS-SET: { esp-256-aes esp-sha256-hmac  }
   will negotiate = { Tunnel,  },

R1#show crypto ipsec profile
IPSEC profile DVTI-IPSEC
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                TRANS-SET:  { esp-256-aes esp-sha256-hmac  } ,
        }
 
IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,

R3(config)#crypto isakmp policy 11
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 14
R3(config-isakmp)#hash sha256
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#lifetime 3600
R3(config-isakmp)#exit

R3(config)#crypto keyring DVTI-KEYRING
R3(conf-keyring)#pre-shared-key address 192.168.12.1 key INTERNET
R3(conf-keyring)#exit

R3(config)#crypto isakmp profile DVTI-ISAKMP
% A profile is deemed incomplete until it has match identity statements
R3(conf-isa-prof)#keyring DVTI-KEYRING
R3(conf-isa-prof)#match identity address 192.168.12.1
R3(conf-isa-prof)#exit

R3(config)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R3(cfg-crypto-trans)#mode tunnel
R3(cfg-crypto-trans)#exit

R3(config)#crypto ipsec profile DVTI-IPSEC
R3(ipsec-profile)#set transform-set TRANS-SET
R3(ipsec-profile)#exit

R3#show crypto isakmp profile

IKEv1 PROFILE DVTI-ISAKMP

Ref Count = 1

   Identities matched are:

    ip-address 192.168.12.1 255.255.255.255

   Certificate maps matched are:

   keyring(s): DVTI-KEYRING

   trustpoint(s): <all>

R3#show crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

Transform set TRANS-SET: { esp-256-aes esp-sha256-hmac  }

   will negotiate = { Tunnel,  },

R3#show crypto ipsec profile

IPSEC profile DVTI-IPSEC

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                TRANS-SET:  { esp-256-aes esp-sha256-hmac  } ,

        }

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

 

R4(config)#crypto isakmp policy 11
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 14
R4(config-isakmp)#hash sha256
R4(config-isakmp)#encryption aes 256
R4(config-isakmp)#lifetime 3600
R4(config-isakmp)#exit

R4(config)#crypto keyring DVTI-KEYRING
R4(conf-keyring)#pre-shared-key address 192.168.12.1 key INTERNET
R4(conf-keyring)#exit

R4(config)#crypto isakmp profile DVTI-ISAKMP
% A profile is deemed incomplete until it has match identity statements
R4(conf-isa-prof)#keyring DVTI-KEYRING
R4(conf-isa-prof)#match identity address 192.168.12.1

R4(conf-isa-prof)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R4(cfg-crypto-trans)#mode tunnel
R4(cfg-crypto-trans)#exit

R4(config)#crypto ipsec profile DVTI-IPSEC
R4(ipsec-profile)#set transform-set TRANS-SET
R4(ipsec-profile)#exit

R4#show crypto isakmp profile

IKEv1 PROFILE DVTI-ISAKMP

Ref Count = 2

   Identities matched are:

    ip-address 192.168.12.1 255.255.255.255

   Certificate maps matched are:

   keyring(s): DVTI-KEYRING

   trustpoint(s): <all>

R4#show crypto ipsec transform-set

Transform set default: { esp-aes esp-sha-hmac  }

   will negotiate = { Transport,  },

Transform set TRANS-SET: { esp-256-aes esp-sha256-hmac  }

   will negotiate = { Tunnel,  },

R4#show crypto ipsec profile

IPSEC profile DVTI-IPSEC

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                TRANS-SET:  { esp-256-aes esp-sha256-hmac  } ,

        }

IPSEC profile default

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                default:  { esp-aes esp-sha-hmac  } ,

        }

 R1(config)#interface virtual-template 1 type tunnel
R1(config-if)#ip unnumbered loopback 0
R1(config-if)#tunnel source 192.168.12.1
R1(config-if)#tunnel destination dynamic
R1(config-if)#tunnel protection ipsec profile DVTI-IPSEC
R1(config-if)#no ip split-horizon eigrp 100
R1(config-if)#no ip next-hop-self eigrp 100
R1(config-if)#exit

R1(config)#router eigrp 100
R1(config-router)#network 192.168.10.0
R1(config-router)#network 192.168.111.0
R1(config-router)#no auto-summary
R1(config-router)#exit
 
*Apr  8 12:06:26.907: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Apr  8 12:09:06.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Apr  8 12:09:58.035: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.133.1 (Virtual-Access1) is up: new adjacency
*Apr  8 12:28:57.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Apr  8 12:29:58.979: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.144.1 (Virtual-Access2) is up: new adjacency

R1#show interfaces virtual-template 1

Virtual-Template1 is up, line protocol is down

  Hardware is Virtual Template interface

  Interface is unnumbered. Using address of Loopback0 (192.168.111.1)

  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 192.168.12.1

  

R1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.12.1    192.168.24.1    QM_IDLE           1007 ACTIVE

192.168.12.1    192.168.23.1    QM_IDLE           1006 ACTIVE

R1#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        192.168.10.1    YES manual up                    up

Serial3/0              192.168.12.1    YES manual up                    up

Loopback0              192.168.111.1   YES manual up                    up

Virtual-Access1        192.168.111.1   YES unset  up                    up

Virtual-Access2        192.168.111.1   YES unset  up                    up

Virtual-Template1      192.168.111.1   YES unset  up                    down

R3(config)#interface tunnel 0

R3(config-if)#ip unnumbered loopback 0

R3(config-if)#tunnel source serial 3/1

R3(config-if)#tunnel destination 192.168.12.1

R3(config-if)#tunnel protection ipsec profile DVTI-IPSEC

R3(config-if)#no ip split-horizon eigrp 100

R3(config-if)#no ip next-hop-self eigrp 100

R3(config-if)#exit

R3(config)#router eigrp 100

R3(config-router)#network 192.168.30.0

R3(config-router)#network 192.168.133.0

R3(config-router)#no auto-summary

R3(config-router)#exit

*Apr  8 12:09:03.531: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Apr  8 12:07:48.547: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down

*Apr  8 12:08:31.939: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

*Apr  8 12:09:57.203: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency

R4(config)#interface tunnel 0

R4(config-if)#ip unnumbered loopback 0

R4(config-if)#tunnel source 192.168.24.1

R4(config-if)#tunnel destination 192.168.12.1

R4(config-if)#tunnel protection ipsec profile DVTI-IPSEC

R4(config-if)#no ip split-horizon eigrp 100

R4(config-if)#no ip next-hop-self eigrp 100

R4(config-if)#exit

R4(config)#router eigrp 100

R4(config-router)#network 192.168.40.0

R4(config-router)#network 192.168.144.0

R4(config-router)#no auto-summary

R4(config-router)#exit

R4(config)#end

R4# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.12.1    192.168.24.1    QM_IDLE           1003 ACTIVE

IPv6 Crypto ISAKMP SA

*Apr  8 12:28:55.243: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Apr  8 12:28:32.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

*Apr  8 12:29:58.335: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency

*Apr  8 12:26:54.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down

R1#traceroute 192.168.30.1

Type escape sequence to abort.

Tracing the route to 192.168.30.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.133.1 80 msec 60 msec 52 msec

R1#traceroute 192.168.40.1

Type escape sequence to abort.

Tracing the route to 192.168.40.1

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.144.1 56 msec 60 msec 56 msec

R3#show crypto ipsec sa

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 192.168.23.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.23.1/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)

   current_peer 192.168.12.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 1487, #pkts encrypt: 1487, #pkts digest: 1487

    #pkts decaps: 1498, #pkts decrypt: 1498, #pkts verify: 1498

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.23.1, remote crypto endpt.: 192.168.12.1

     path mtu 1500, ip mtu 1500, ip mtu idb Serial3/1

     current outbound spi: 0xE987DEF7(3917995767)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x34186AB2(874015410)

        transform: esp-256-aes esp-sha256-hmac ,

        in use settings ={Tunnel, }

        conn id: 5, flow_id: 5, sibling_flags 80000040, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4337556/3569)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xE987DEF7(3917995767)

        transform: esp-256-aes esp-sha256-hmac ,

        in use settings ={Tunnel, }

        conn id: 6, flow_id: 6, sibling_flags 80000040, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4337556/3569)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

R3#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.23.1    192.168.12.1    QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

Read More