Let's start
INTERFACES STATUS
=========================
R1#sh int des | i up
Fa0 up up LAN
Se0 up up WAN
R1#sh ip int brief | i up
FastEthernet0 10.0.0.1 YES NVRAM up up
Serial0 12.0.0.1 YES NVRAM up up
R2#sh int des | i up
Fa0 up up LAN
Se0 up up WAN
R2#sh ip int brief | i up
FastEthernet0 20.0.0.1 YES NVRAM up up
Serial0 12.0.0.2 YES NVRAM up up
ABLE TO PING FROM PC1 TO PC2 & VICEVERSA
=========================================
PC1> ping 20.0.0.100
84 bytes from 20.0.0.100 icmp_seq=1 ttl=62 time=36.002 ms
84 bytes from 20.0.0.100 icmp_seq=2 ttl=62 time=58.003 ms
84 bytes from 20.0.0.100 icmp_seq=3 ttl=62 time=43.003 ms
84 bytes from 20.0.0.100 icmp_seq=4 ttl=62 time=43.003 ms
84 bytes from 20.0.0.100 icmp_seq=5 ttl=62 time=44.002 ms
PC2> ping 10.0.0.100
84 bytes from 10.0.0.100 icmp_seq=1 ttl=62 time=54.003 ms
84 bytes from 10.0.0.100 icmp_seq=2 ttl=62 time=53.003 ms
84 bytes from 10.0.0.100 icmp_seq=3 ttl=62 time=42.002 ms
84 bytes from 10.0.0.100 icmp_seq=4 ttl=62 time=38.002 ms
84 bytes from 10.0.0.100 icmp_seq=5 ttl=62 time=40.002 ms
Step 1:- Create ACL to define Interesting Traffic.
Step 2:- Define parameters for IKE Phase1 Tunnel (ISAKMP Tunnel)
a) Enable Crypto ISAKMP
b) Configure HAGLE PARAMTERS
c) Set peer & key
Step 3:- Define parameters for IKE Phase2 Tunnel (IPSec Tunnel)
Step 4 :- Create Crypto map and apply to the appropriate interface.
**** every command begins with crypto ****
STEP 1 - Create ACL to define "Interesting" Traffic
=====================================================
R1(config)#access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
R2(config)#access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
note :- we can acls with different acl numbers on both the vpn devices.
STEP 2 - Define parameters for IKE Phase 1 Tunnel (ISAKMP Tunnel)
==================================================================
a) Enable Crypto ISAKMP
==================================================================
R1#sh crypto isakmp policy
ISAKMP is turned off
R2#sh crypto isakmp policy
ISAKMP is turned off
R1(config)#crypto isakmp enable
Mar 13 02:24:38.171: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1#sh cry isakmp policy
Global IKE policy
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
NOTE :- By default there is one IKE PHASE 1 ISAKMP Policy present.
R2(config)#crypto isakmp enable
Mar 13 02:26:44.519: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
b) Configure HAGLE PARAMTERS
==================================================================
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 5
R1(config-isakmp)#encryption aes
R1(config-isakmp)#^Z
R1#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#hash sha
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 5
R2(config-isakmp)#encryption aes
R2(config-isakmp)#^Z
R2#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
c) Set peer & key
==================================================================
R1(config)#crypto isakmp key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
note - both the keys will go encrypted over public network ...it is how the key will be locally
R1(config)#crypto isakmp key 0 cisco123 address 12.0.0.2
R1#sh crypto isakmp key
Keyring Hostname/Address Preshared Key
default 12.0.0.2 cisco123
R2(config)#crypto isakmp key 0 cisco123 address 12.0.0.1
R2#sh crypto isakmp key
Keyring Hostname/Address Preshared Key
default 12.0.0.1 cisco123
R2#
====================================================================================================================================
Step 3:- Define parameters for IKE Phase2 Tunnel (IPSec Tunnel)
==================================================================
R1(config)#crypto ipsec transform-set AMARTECH esp-aes 128 esp-md5-hmac
R1(cfg-crypto-trans)#^Z
R1#sh crypto ipsec transform-set
Transform set AMARTECH: { esp-aes esp-md5-hmac }
will negotiate = { Tunnel, },
R2(config)#crypto ipsec transform-set AMARTECH esp-aes 128 esp-md5-hmac
R2(cfg-crypto-trans)#^Z
R2#
R2#config
Mar 13 03:07:38.415: %SYS-5-CONFIG_I: Configured from console by console
R2#sh crypto ipsec transform-set
Transform set AMARTECH: { esp-aes esp-md5-hmac }
will negotiate = { Tunnel, },
====================================================================
Step 4 :- Create Crypto map and apply to the appropriate interface.
====================================================================
R1(config)#crypto map TECHMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 12.0.0.2
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set transform-set AMARTECH
R1(config-crypto-map)#^Z
R2(config)#crypto map TECHMAP 10 IPsec-ISakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 12.0.0.1
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#set transform-set AMARTECH
R2(config-crypto-map)#^Z
R1#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
Peer = 12.0.0.2
Extended IP access list 100
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
AMARTECH,
}
Interfaces using crypto map TECHMAP:
R2#sh crypto ma
Crypto Map "TECHMAP" 10 ipsec-isakmp
Peer = 12.0.0.1
Extended IP access list 100
access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
AMARTECH,
}
Interfaces using crypto map TECHMAP:
R1(config)#int s0
R1(config-if)#crypto map TECHMAP
R1(config-if)#^Z
R1#
R1#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
Peer = 12.0.0.2
Extended IP access list 100
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
Current peer: 12.0.0.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
AMARTECH,
}
Interfaces using crypto map TECHMAP:
Serial0
R2(config)#int s0
R2(config-if)#cry
R2(config-if)#crypto map TECHMAP
R2(config-if)#^Z
R2#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
Peer = 12.0.0.1
Extended IP access list 100
access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Current peer: 12.0.0.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
AMARTECH,
}
Interfaces using crypto map TECHMAP:
Serial0
========================================================================
R1#sh cry isakmp sa
dst src state conn-id slot status
R1#sh cry ipsec
R1#sh cry ipsec sa
interface: Serial0
Crypto map tag: TECHMAP, local addr 12.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
current_peer 12.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.0.0.1, remote crypto endpt.: 12.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
======================================================================================================
R1#sh cry isakmp sa
dst src state conn-id slot status
12.0.0.2 12.0.0.1 QM_IDLE 1 0 ACTIVE
R2#sh cry isakmp sa
dst src state conn-id slot status
12.0.0.2 12.0.0.1 QM_IDLE 1 0 ACTIVE
R1#sh cry ipsec sa
interface: Serial0
Crypto map tag: TECHMAP, local addr 12.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
current_peer 12.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest: 21
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 12.0.0.1, remote crypto endpt.: 12.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0xA9BA9F1(177973745)
inbound esp sas:
spi: 0x3637026C(909574764)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: TECHMAP
sa timing: remaining key lifetime (k/sec): (4525445/3524)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA9BA9F1(177973745)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: TECHMAP
sa timing: remaining key lifetime (k/sec): (4525445/3522)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2#sh crypto ipsec sa
interface: Serial0
Crypto map tag: TECHMAP, local addr 12.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 12.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 67, #pkts encrypt: 67, #pkts digest: 67
#pkts decaps: 67, #pkts decrypt: 67, #pkts verify: 67
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.0.0.2, remote crypto endpt.: 12.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0x3637026C(909574764)
inbound esp sas:
spi: 0xA9BA9F1(177973745)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: TECHMAP
sa timing: remaining key lifetime (k/sec): (4467647/3445)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3637026C(909574764)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: TECHMAP
sa timing: remaining key lifetime (k/sec): (4467647/3443)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Thanks for Reading !!!!!!
SITE - TO -SITE IPSEC VPN CONFIGURATION |
INTERFACES STATUS
=========================
R1#sh int des | i up
Fa0 up up LAN
Se0 up up WAN
R1#sh ip int brief | i up
FastEthernet0 10.0.0.1 YES NVRAM up up
Serial0 12.0.0.1 YES NVRAM up up
R2#sh int des | i up
Fa0 up up LAN
Se0 up up WAN
R2#sh ip int brief | i up
FastEthernet0 20.0.0.1 YES NVRAM up up
Serial0 12.0.0.2 YES NVRAM up up
ABLE TO PING FROM PC1 TO PC2 & VICEVERSA
=========================================
PC1> ping 20.0.0.100
84 bytes from 20.0.0.100 icmp_seq=1 ttl=62 time=36.002 ms
84 bytes from 20.0.0.100 icmp_seq=2 ttl=62 time=58.003 ms
84 bytes from 20.0.0.100 icmp_seq=3 ttl=62 time=43.003 ms
84 bytes from 20.0.0.100 icmp_seq=4 ttl=62 time=43.003 ms
84 bytes from 20.0.0.100 icmp_seq=5 ttl=62 time=44.002 ms
PC2> ping 10.0.0.100
84 bytes from 10.0.0.100 icmp_seq=1 ttl=62 time=54.003 ms
84 bytes from 10.0.0.100 icmp_seq=2 ttl=62 time=53.003 ms
84 bytes from 10.0.0.100 icmp_seq=3 ttl=62 time=42.002 ms
84 bytes from 10.0.0.100 icmp_seq=4 ttl=62 time=38.002 ms
84 bytes from 10.0.0.100 icmp_seq=5 ttl=62 time=40.002 ms
Step 1:- Create ACL to define Interesting Traffic.
Step 2:- Define parameters for IKE Phase1 Tunnel (ISAKMP Tunnel)
a) Enable Crypto ISAKMP
b) Configure HAGLE PARAMTERS
c) Set peer & key
Step 3:- Define parameters for IKE Phase2 Tunnel (IPSec Tunnel)
Step 4 :- Create Crypto map and apply to the appropriate interface.
**** every command begins with crypto ****
STEP 1 - Create ACL to define "Interesting" Traffic
=====================================================
R1(config)#access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
R2(config)#access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
note :- we can acls with different acl numbers on both the vpn devices.
STEP 2 - Define parameters for IKE Phase 1 Tunnel (ISAKMP Tunnel)
==================================================================
a) Enable Crypto ISAKMP
==================================================================
R1#sh crypto isakmp policy
ISAKMP is turned off
R2#sh crypto isakmp policy
ISAKMP is turned off
R1(config)#crypto isakmp enable
Mar 13 02:24:38.171: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1#sh cry isakmp policy
Global IKE policy
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
NOTE :- By default there is one IKE PHASE 1 ISAKMP Policy present.
R2(config)#crypto isakmp enable
Mar 13 02:26:44.519: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
b) Configure HAGLE PARAMTERS
==================================================================
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 5
R1(config-isakmp)#encryption aes
R1(config-isakmp)#^Z
R1#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#hash sha
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 5
R2(config-isakmp)#encryption aes
R2(config-isakmp)#^Z
R2#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
c) Set peer & key
==================================================================
R1(config)#crypto isakmp key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
note - both the keys will go encrypted over public network ...it is how the key will be locally
R1(config)#crypto isakmp key 0 cisco123 address 12.0.0.2
R1#sh crypto isakmp key
Keyring Hostname/Address Preshared Key
default 12.0.0.2 cisco123
R2(config)#crypto isakmp key 0 cisco123 address 12.0.0.1
R2#sh crypto isakmp key
Keyring Hostname/Address Preshared Key
default 12.0.0.1 cisco123
R2#
====================================================================================================================================
Step 3:- Define parameters for IKE Phase2 Tunnel (IPSec Tunnel)
==================================================================
R1(config)#crypto ipsec transform-set AMARTECH esp-aes 128 esp-md5-hmac
R1(cfg-crypto-trans)#^Z
R1#sh crypto ipsec transform-set
Transform set AMARTECH: { esp-aes esp-md5-hmac }
will negotiate = { Tunnel, },
R2(config)#crypto ipsec transform-set AMARTECH esp-aes 128 esp-md5-hmac
R2(cfg-crypto-trans)#^Z
R2#
R2#config
Mar 13 03:07:38.415: %SYS-5-CONFIG_I: Configured from console by console
R2#sh crypto ipsec transform-set
Transform set AMARTECH: { esp-aes esp-md5-hmac }
will negotiate = { Tunnel, },
====================================================================
Step 4 :- Create Crypto map and apply to the appropriate interface.
====================================================================
R1(config)#crypto map TECHMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 12.0.0.2
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set transform-set AMARTECH
R1(config-crypto-map)#^Z
R2(config)#crypto map TECHMAP 10 IPsec-ISakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 12.0.0.1
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#set transform-set AMARTECH
R2(config-crypto-map)#^Z
R1#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
Peer = 12.0.0.2
Extended IP access list 100
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
AMARTECH,
}
Interfaces using crypto map TECHMAP:
R2#sh crypto ma
Crypto Map "TECHMAP" 10 ipsec-isakmp
Peer = 12.0.0.1
Extended IP access list 100
access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
AMARTECH,
}
Interfaces using crypto map TECHMAP:
R1(config)#int s0
R1(config-if)#crypto map TECHMAP
R1(config-if)#^Z
R1#
R1#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
Peer = 12.0.0.2
Extended IP access list 100
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
Current peer: 12.0.0.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
AMARTECH,
}
Interfaces using crypto map TECHMAP:
Serial0
R2(config)#int s0
R2(config-if)#cry
R2(config-if)#crypto map TECHMAP
R2(config-if)#^Z
R2#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
Peer = 12.0.0.1
Extended IP access list 100
access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Current peer: 12.0.0.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
AMARTECH,
}
Interfaces using crypto map TECHMAP:
Serial0
========================================================================
R1#sh cry isakmp sa
dst src state conn-id slot status
R1#sh cry ipsec
R1#sh cry ipsec sa
interface: Serial0
Crypto map tag: TECHMAP, local addr 12.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
current_peer 12.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.0.0.1, remote crypto endpt.: 12.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
======================================================================================================
R1#sh cry isakmp sa
dst src state conn-id slot status
12.0.0.2 12.0.0.1 QM_IDLE 1 0 ACTIVE
R2#sh cry isakmp sa
dst src state conn-id slot status
12.0.0.2 12.0.0.1 QM_IDLE 1 0 ACTIVE
R1#sh cry ipsec sa
interface: Serial0
Crypto map tag: TECHMAP, local addr 12.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
current_peer 12.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest: 21
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 12.0.0.1, remote crypto endpt.: 12.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0xA9BA9F1(177973745)
inbound esp sas:
spi: 0x3637026C(909574764)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: TECHMAP
sa timing: remaining key lifetime (k/sec): (4525445/3524)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA9BA9F1(177973745)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: TECHMAP
sa timing: remaining key lifetime (k/sec): (4525445/3522)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2#sh crypto ipsec sa
interface: Serial0
Crypto map tag: TECHMAP, local addr 12.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 12.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 67, #pkts encrypt: 67, #pkts digest: 67
#pkts decaps: 67, #pkts decrypt: 67, #pkts verify: 67
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.0.0.2, remote crypto endpt.: 12.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0x3637026C(909574764)
inbound esp sas:
spi: 0xA9BA9F1(177973745)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: TECHMAP
sa timing: remaining key lifetime (k/sec): (4467647/3445)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3637026C(909574764)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: TECHMAP
sa timing: remaining key lifetime (k/sec): (4467647/3443)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Thanks for Reading !!!!!!
Sir how to config in cloud to provide connectivity between 2 routers
ReplyDeletei am trying but its unable to ping 2 router each other
Very use full, Thank you very much
ReplyDeleteWow
ReplyDelete