Scribd
Upload
50 views18 pages

Lab - Configure DMVPN With IPsec

Uploaded by

decesapasettivijayadurga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
50 views18 pages

Lab - Configure DMVPN With IPsec

Uploaded by

decesapasettivijayadurga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Lab: Configure DMVPN with IPsec

Technologies covered

• mGRE
• NHRP
• EIGRP
• IPsec

Overview

You have been tasked with configuring DMVPN, IPsec, and routing on your
network.

This lab simulates a connection between three sites using DMVPN over
IPsec to ensure security and scalability.

The topology used in the lab will be the following:


Logical Topology:
EVE-NG Topology:
Prerequisites

- Create the topology.


- Adjust the settings of the routers that are part of the ISPs:

ON ISP-1, configure the following:

hostname ISP-1

interface g0/0
description LINK for R2 Site 2
ip address 25.2.2.1 255.255.255.252
no shutdown
exit

interface g0/1
description LINK for ISP-2
ip address 12.12.12.1 255.255.255.0
no shutdown
exit

interface g0/2
description LINK for ISP-3
ip address 13.13.13.1 255.255.255.0
no shutdown
exit

router bgp 100


network 12.12.12.0 mask 255.255.255.0
network 13.13.13.0 mask 255.255.255.0
network 25.2.2.0 mask 255.255.255.252
neighbor 12.12.12.2 remote-as 200
neighbor 13.13.13.3 remote-as 300

ON ISP-2, configure the following:

hostname ISP-2

interface g0/0
description LINK for R1 Site 1
ip address 15.1.1.2 255.255.255.252
no shutdown
exit
interface g0/1
description LINK for ISP-2
ip address 12.12.12.2 255.255.255.0
no shutdown
exit

interface g0/2
description LINK for ISP-3
ip address 23.23.23.2 255.255.255.0
no shutdown
exit

router bgp 200


network 12.12.12.0 mask 255.255.255.0
network 15.1.1.0 mask 255.255.255.252
network 23.23.23.0 mask 255.255.255.0
neighbor 12.12.12.1 remote-as 100
neighbor 23.23.23.3 remote-as 300

ON ISP-3, configure the following:

interface g0/0
description LINK for R3 Site 3
ip address 35.3.3.33 255.255.255.0
no shutdown
exit

interface g0/1
description LINK for ISP-2
ip address 23.23.23.3 255.255.255.0
no shutdown
exit

interface g0/2
description LINK for ISP-1
ip address 13.13.13.3 255.255.255.0
no shutdown
exit

router bgp 300


network 13.13.13.0 mask 255.255.255.0
network 23.23.23.0 mask 255.255.255.0
network 35.3.3.0 mask 255.255.255.0
neighbor 13.13.13.1 remote-as 100
neighbor 23.23.23.2 remote-as 200

NOTE: This configuration in the ISPs is a basic configuration at laboratory


level.
On R1, configure the following:

hostname R1

interface GigabitEthernet0/0
description LINK Local Network
ip address 10.1.0.1 255.255.255.0
no shutdown
exit

interface GigabitEthernet0/1
description LINK for ISP-2
ip address 15.1.1.1 255.255.255.252
no shutdown
exit

ip route 0.0.0.0 0.0.0.0 15.1.1.2

On R2, configure the following:

hostname R2

interface GigabitEthernet0/0
description LINK Local Network
ip address 10.2.0.1 255.255.255.0
no shutdown
exit

interface GigabitEthernet0/2
description LINK for ISP-1
ip address 25.2.2.2 255.255.255.252
no shutdown
exit

ip route 0.0.0.0 0.0.0.0 25.2.2.1

On R3, configure the following:

hostname R3

interface GigabitEthernet0/0
description LINK Local Network
ip address 10.3.0.1 255.255.255.0
no shutdown
exit
interface GigabitEthernet0/3
description LINK for ISP-3
ip address 35.3.3.3 255.255.255.0
no shutdown
exit

ip route 0.0.0.0 0.0.0.0 35.3.3.33

After completing the basic configuration on the ISPs and on R1, R2 and R3,
we will execute the tasks.

• Task 1.1 R1, R2, and R3 are in a hub and spoke topology where R1 is
the hub and R2 and R3 are the spokes. Configure DMVPN as the
underlying technology. Source interface G0/1(R1), G0/2(R2),
G0/3(R3), tunnel IP address as per topology, MTU 1400 and MSS 1360,
mGRE, and tunnel key 6783.

On R1, configure the following:

R1(config)#interface tunnel 0
R1(config-if)#description DMVPN HUB
R1(config-if)#ip address 172.16.123.1 255.255.255.0
R1(config-if)#ip mtu 1400
R1(config-if)#ip tcp adjust-mss 1360
R1(config-if)#tunnel source g0/1
R1(config-if)#tunnel mode gre multipoint
R1(config-if)#tunnel key 6783
R1(config-if)#end

On R2, configure the following:

R2(config)#interface tunnel 0
R2(config-if)#description DMVPN Spoke Site 2
R2(config-if)#ip address 172.16.123.2 255.255.255.0
R2(config-if)#ip mtu 1400
R2(config-if)#ip tcp adjust-mss 1360
R2(config-if)#tunnel source g0/2
R2(config-if)#tunnel mode gre multipoint
R2(config-if)#tunnel key 6783
R2(config-if)#end

On R3, configure the following:

R3(config)#interface tunnel 0
R3(config-if)#description DMVPN Spoke Site 3
R3(config-if)#ip address 172.16.123.3 255.255.255.0
R3(config-if)#ip mtu 1400
R3(config-if)#ip tcp adjust-mss 1360
R3(config-if)#tunnel source g0/3
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#tunnel key 6783
R3(config-if)#end

• Task 1.2 Configure NHRP on R1, which is the HUB. Use the command
to authenticate with the password Cisco!23, configure dynamic
multicast mapping so that when devices register, they map the
reachable IP addresses dynamically. Configure a network id with the
identifier 123 and use the command to implement phase 3.

On R1, configure the following:

R1(config)#interface tunnel 0
R1(config-if)#ip nhrp authentication Cisco!23
R1(config-if)#ip nhrp map multicast dynamic
R1(config-if)#ip nhrp network-id 123
R1(config-if)#ip nhrp redirect
R1(config-if)#end

After configuring R1, use the debug nhrp command to display information
about what happens as the Spokes connect.

R1#debug nhrp

• Task 1.3 On the Spokes, configure authentication with the password


Cisco!23. Map the Hub's tunnel address to its reachable address
using the nhrp map command. Configure the nh server and point it to
the Hub's tunnel IP. Configure multicast mapping pointing to the
Hub's reachable address. Configure a network id with the identifier
123. Configure the nhrp shortcut to allow the spokes to learn and
send traffic between spokes.

On R2, configure the following:

R2(config)#interface tunnel 0
R2(config-if)# ip nhrp authen Cisco!23
R2(config-if)# ip nhrp map 172.16.123.1 15.1.1.1
R2(config-if)# ip nhrp map multicast 15.1.1.1
R2(config-if)# ip nhrp network-id 123
R2(config-if)# ip nhrp nhs 172.16.123.1
R2(config-if)# ip nhrp shortcut
R2(config-if)# end
On R3, configure the following:

R3(config)#interface tunnel 0
R3(config-if)# ip nhrp authen Cisco!23
R3(config-if)# ip nhrp map 172.16.123.1 15.1.1.1
R3(config-if)# ip nhrp map multicast 15.1.1.1
R3(config-if)# ip nhrp network-id 123
R3(config-if)# ip nhrp nhs 172.16.123.1
R3(config-if)# ip nhrp shortcut
R3(config-if)# end

• Task 1.4 perform a configuration check on the tunnel 0 interface.

On R2 or R3:

R3#show run int tunnel 0


interface Tunnel0
description DMVPN Spoke Site 3
ip address 172.16.123.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Cisco!23
ip nhrp map 172.16.123.1 15.1.1.1
ip nhrp map multicast 15.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.123.1
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/3
tunnel mode gre multipoint
tunnel key 6783
end

On R1, check the debug:

NHRP: Adding Tunnel Endpoints (VPN: 172.16.123.2, NBMA: 25.2.2.2)

Added dynamic multicast mapping for NBMA: 25.2.2.2

NHRP: Adding Tunnel Endpoints (VPN: 172.16.123.3, NBMA: 35.3.3.3)

Adding Tunnel Endpoints (VPN: 172.16.123.3, NBMA: 35.3.3.3)


• Task 1.5 Check nhrp mappings on R1, R2 and R3

On R1:
R1#show ip nhrp
172.16.123.2/32 via 172.16.123.2
Tunnel0 created 00:04:20, expire 01:55:39
Type: dynamic, Flags: unique registered nhop
NBMA address: 25.2.2.2
172.16.123.3/32 via 172.16.123.3
Tunnel0 created 00:02:38, expire 01:57:21
Type: dynamic, Flags: unique registered nhop
NBMA address: 35.3.3.3

The Type: dynamic, showing that they were dynamically seized, also shows the
accessible address of R2 and R3.
On R2 and R3:

R2#show ip nhrp
172.16.123.1/32 via 172.16.123.1
Tunnel0 created 00:07:24, never expire
Type: static, Flags:
NBMA address: 15.1.1.1

R3#show ip nhrp
172.16.123.1/32 via 172.16.123.1
Tunnel0 created 00:05:44, never expire
Type: static, Flags:
NBMA address: 15.1.1.1

Note that the Spokes only know about the Hub, this is because we statically mapped
the tunnel address to the NBMA address.

• Task 1.6 Add routing, use the EIGRP protocol, publish local networks
and tunnels.

On R1, R2 and R3 configure the following:

(config)#router eigrp 1
(config-router)#network 10.0.0.0
(config-router)#network 172.16.123.0 0.0.0.255
(config-router)#end

Check the interfaces that participate in routing:


R1#show ip eigrp interfaces
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/0 0 0/0 0/0 0 0/0 0 0
Tu0 2 0/0 0/0 8 6/227 50 0

On R2, enter the command: show ip route eigrp

R2#show ip route eigrp


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 25.2.2.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks


D 10.1.0.0/24 [90/26880256] via 172.16.123.1, 00:05:17, Tunnel0

On R2, note that when you enter the command, the output only shows R1's
local route, not R3's local route. R1 knows about R3's local network, but it is
not sharing it due to split horizon.

Split horizon, by default, says that if R1 learns a route through an interface


(g0/1), it should not advertise the same network through the same interface.
That is why R1 is filtering route 10.3 to R2.

• Task 1.7 Disable split horizon on R1.

On R1 configure the following:

R1(config)#interface tunnel 0
R1(config-if)#no ip split-horizon eigrp 1
*Mar 23 13:52:41.055: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.123.3 (Tunnel0) is resync:
split horizon changed
*Mar 23 13:52:41.056: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.123.2 (Tunnel0) is resync:
split horizon changed

On R2, now if we use the show ip route eigrp command, it is now possible
to see network 10.3 in the routing table.
R2#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 25.2.2.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks


D 10.1.0.0/24 [90/26880256] via 172.16.123.1, 00:25:12, Tunnel0
D 10.3.0.0/24 [90/28160256] via 172.16.123.1, 00:02:09, Tunnel0

• Task 1.8 Perform checks.

On R1, check the DMVPN tunnels:

R1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details


Type:Hub, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 25.2.2.2 172.16.123.2 UP 01:02:06 D
1 35.3.3.3 172.16.123.3 UP 01:00:24 D

The command output shows the NBMA addresses of R2 and R3, with their
respective tunnel addresses, in the attributes section it shows the letter D,
which represents Dynamic, as they were learned dynamically.

Another command on R1:

R1#show ip nhrp
172.16.123.2/32 via 172.16.123.2
Tunnel0 created 01:06:28, expire 01:33:31
Type: dynamic, Flags: unique registered used nhop
NBMA address: 25.2.2.2
172.16.123.3/32 via 172.16.123.3
Tunnel0 created 01:04:47, expire 01:35:12
Type: dynamic, Flags: unique registered used nhop
NBMA address: 35.3.3.3
The output shows information about tunnel addresses and their NBMA
addresses.

On R2, the show dmvpn command shows the following output:

R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details


Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 15.1.1.1 172.16.123.1 UP 01:09:41 S

It currently shows the Hub address, with the Static attribute, because we
configured it statically.

• Task 1.9 On R2, let's perform a traceroute to the local address on R3:

On R2, use the command:

R2#traceroute 10.3.0.50 source 10.2.0.1


Type escape sequence to abort.
Tracing the route to 10.3.0.50
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.123.1 16 msec 8 msec 8 msec
2 172.16.123.3 20 msec 9 msec 15 msec
3 10.3.0.50 6 msec 5 msec 5 msec

Again:

R2#traceroute 10.3.0.50 source 10.2.0.1


Type escape sequence to abort.
Tracing the route to 10.3.0.50
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.123.3 4 msec 4 msec 4 msec
2 10.3.0.50 6 msec 5 msec 5 msec

Traffic no longer passes through the Hub, as R2 now knows the next hop
address.
Use the show ip route command:

R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 25.2.2.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 25.2.2.1


10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.1.0.0/24 [90/26880256] via 172.16.123.1, 00:55:07, Tunnel0
C 10.2.0.0/24 is directly connected, GigabitEthernet0/0
L 10.2.0.1/32 is directly connected, GigabitEthernet0/0
D % 10.3.0.0/24 [90/28160256] via 172.16.123.1, 00:32:04, Tunnel0
25.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 25.2.2.0/30 is directly connected, GigabitEthernet0/2
L 25.2.2.2/32 is directly connected, GigabitEthernet0/2
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.123.0/24 is directly connected, Tunnel0
L 172.16.123.2/32 is directly connected, Tunnel0
H 172.16.123.3/32 is directly connected, 00:26:47, Tunnel0

Note that the % symbol represents the next hop replacement.

Use the show ip cef 10.3.0.3 command:

R2#show ip cef 10.3.0.0


10.3.0.0/24
nexthop 172.16.123.3 Tunnel0

The output shows the tunnel address of R3, even though the routing table
shows the tunnel address of R1, we have next hop substitution in effect.

Now if we use the show ip nhrp command, we will see several mappings that
did not exist before.
R2#show ip nhrp
10.2.0.0/24 via 172.16.123.2
Tunnel0 created 00:12:10, expire 01:47:49
Type: dynamic, Flags: router unique local
NBMA address: 25.2.2.2
(no-socket)
10.3.0.0/24 via 172.16.123.3
Tunnel0 created 00:33:13, expire 01:26:46
Type: dynamic, Flags: router used rib nho
NBMA address: 35.3.3.3
172.16.123.1/32 via 172.16.123.1
Tunnel0 created 01:30:59, never expire
Type: static, Flags: used
NBMA address: 15.1.1.1
172.16.123.2/32 via 172.16.123.2
Tunnel0 created 00:33:13, expire 01:26:46
Type: dynamic, Flags: router unique local
NBMA address: 25.2.2.2
(no-socket)
172.16.123.3/32 via 172.16.123.3
Tunnel0 created 00:33:13, expire 01:26:46
Type: dynamic, Flags: router nhop rib
NBMA address: 35.3.3.3

If we use the show dmvpn command again, we now have the addressing
information for R3, with the attribute DT1, which is Dynamic and the route is
installed, and DT2, Dynamic and next hop replacement.
This is the benefit of phase 3 of DMVPN, we have redirection on the Hub and
shortcut on the Spokes.

R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details


Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 35.3.3.3 172.16.123.3 UP 00:35:01 DT2
172.16.123.3 UP 00:35:01 DT1
1 15.1.1.1 172.16.123.1 UP 01:32:27 S
• Task 1.10 IPsec Implementation

On R1, R2 and R3, configure the following:

(config)#crypto isakmp policy 1


(config-isakmp)#encryption aes 256
(config-isakmp)#hash sha512
(config-isakmp)#authentication pre-share
(config-isakmp)#group 16
(config-isakmp)#exit

(config)#crypto isakmp key Cisco!23 address 0.0.0.0

(config)#crypto ipsec transform-set LAB-Set esp-aes 256 esp-sha512-hmac


(cfg-crypto-trans)#mode transport
(cfg-crypto-trans)#exit

(config)#crypto ipsec profile LAB-IPsec-Profile


(ipsec-profile)#set transform-set LAB-Set
(ipsec-profile)#exit

(config)#interface tunnel 0
(config-if)#tunnel protection ipsec profile LAB-IPsec-Profile
(config-if)#end

View IKE Phase 1 tunnels that have been established:

R2#show crypto isakmp sa


IPv4 Crypto ISAKMP SA
dst src state conn-id status
25.2.2.2 35.3.3.3 QM_IDLE 1003 ACTIVE
15.1.1.1 25.2.2.2 QM_IDLE 1001 ACTIVE
35.3.3.3 25.2.2.2 QM_IDLE 1004 ACTIVE
25.2.2.2 15.1.1.1 QM_IDLE 1002 ACTIVE

R2#show crypto engine connections active


Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-


Address
1 IPsec AES256+SHA512 0 9 9 25.2.2.2
2 IPsec AES256+SHA512 8 0 0 25.2.2.2
3 IPsec AES256+SHA512 0 0 0 25.2.2.2
4 IPsec AES256+SHA512 0 0 0 25.2.2.2
5 IPsec AES256+SHA512 0 413 413 25.2.2.2
6 IPsec AES256+SHA512 411 0 0 25.2.2.2
7 IPsec AES256+SHA512 0 0 0 25.2.2.2
8 IPsec AES256+SHA512 0 0 0 25.2.2.2
9 IPsec AES256+SHA512 0 0 0 25.2.2.2
10 IPsec AES256+SHA512 0 0 0 25.2.2.2
1001 IKE SHA512+AES256 0 0 0 25.2.2.2
1002 IKE SHA512+AES256 0 0 0 25.2.2.2
1003 IKE SHA512+AES256 0 0 0 25.2.2.2
1004 IKE SHA512+AES256 0 0 0 25.2.2.2
R2#show crypto map
Interfaces using crypto map NiStTeSt1:

Crypto Map IPv4 "Tunnel0-head-0" 65536 ipsec-isakmp


Profile name: LAB-IPsec-Profile
Security association lifetime: 4608000 kilobytes/3600
seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
LAB-Set: { esp-256-aes esp-sha512-hmac } ,
}

Crypto Map IPv4 "Tunnel0-head-0" 65537 ipsec-isakmp


Map is a PROFILE INSTANCE.
Peer = 15.1.1.1
Extended IP access list
access-list permit gre host 25.2.2.2 host 15.1.1.1
Current peer: 15.1.1.1
Security association lifetime: 4608000 kilobytes/3600
seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
LAB-Set: { esp-256-aes esp-sha512-hmac } ,
}

Crypto Map IPv4 "Tunnel0-head-0" 65538 ipsec-isakmp


Map is a PROFILE INSTANCE.
Peer = 35.3.3.3
Extended IP access list
access-list permit gre host 25.2.2.2 host 35.3.3.3
Current peer: 35.3.3.3
Security association lifetime: 4608000 kilobytes/3600
seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
LAB-Set: { esp-256-aes esp-sha512-hmac } ,
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
R2#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 25.2.2.2

protected vrf: (none)


local ident (addr/mask/prot/port): (25.2.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (35.3.3.3/255.255.255.255/47/0)
current_peer 35.3.3.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 25.2.2.2, remote crypto endpt.: 35.3.3.3


plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet0/2
current outbound spi: 0xCDF274E3(3455218915)
PFS (Y/N): N, DH group: none

Lab Completed

You might also like