HomeRouteOSPFLAB I ( OSPF over GRE with and without IPsec )
05/12/2017

LAB I ( OSPF over GRE with and without IPsec )

Setup:

  • R1 functions as the internet.
  • R2 is the first location with Public IP 1.1.1.2/30
  • R3 is the second location with Public IP 1.1.2.2/30

There must be a GRE tunnel configured between R2 and R3 so that OSPF can be used between them. In the example we will use a tunnel with and without IPsec.

Configuration without IPsec:

ROUTER 2:

R2:

# WAN ADDRESS
interface FastEthernet0/0
 ip address 1.1.1.2 255.255.255.0
 duplex auto
 speed auto
!

# TUNNEL ADDRESS
interface Tunnel0
 ip address 10.10.10.1 255.255.255.252
 tunnel source 1.1.1.2
 tunnel destination 1.1.2.2
!

# LAN ADDRESS
interface Loopback0
 ip address 192.168.10.1 255.255.255.0
!

# OSPF CONFIG
router ospf 1
 log-adjacency-changes
 network 10.10.10.0 0.0.0.3 area 0
 network 192.168.10.0 0.0.0.255 area 0
!

# DEFAULT ROUTE (TRAFFIC TOWARDS R3)
ip route 0.0.0.0 0.0.0.0 1.1.1.1

ROUTER 3:

R3:
# WAN ADDRESS
interface FastEthernet0/0
 ip address 1.1.2.2 255.255.255.0
 duplex auto
 speed auto
!

# TUNNEL ADDRESS
interface Tunnel0
 ip address 10.10.10.2 255.255.255.252
 tunnel source 1.1.2.2
 tunnel destination 1.1.1.2
!

# LAN ADDRESS
interface Loopback0
 ip address 192.168.20.1 255.255.255.0
!

# OSPF CONFIG
router ospf 1
 log-adjacency-changes
 network 10.10.10.0 0.0.0.3 area 0
 network 192.168.20.0 0.0.0.255 area 0
!

# DEFAULT ROUTE (TRAFFIC TOWARDS R2)
ip route 0.0.0.0 0.0.0.0 1.1.2.1
# INTERFACES OUTPUT
R2#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            1.1.1.2         YES NVRAM  up                    up
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
Serial1/0                  unassigned      YES NVRAM  administratively down down
Serial1/1                  unassigned      YES NVRAM  administratively down down
Serial1/2                  unassigned      YES NVRAM  administratively down down
Serial1/3                  unassigned      YES NVRAM  administratively down down
Loopback0                  192.168.10.1    YES NVRAM  up                    up
Tunnel0                    10.10.10.1      YES NVRAM  up                    up

#ROUTE OUTPUT
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is 1.1.1.1 to network 0.0.0.0
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, FastEthernet0/0
C    192.168.10.0/24 is directly connected, Loopback0
# 192.168.20.0/24 from R3 via OSPF over the tunnel:
     192.168.20.0/32 is subnetted, 1 subnets
O       192.168.20.1 [110/11112] via 10.10.10.2, 00:33:45, Tunnel0
     10.0.0.0/30 is subnetted, 1 subnets
C       10.10.10.0 is directly connected, Tunnel0
S*   0.0.0.0/0 [1/0] via 1.1.1.1


#OSPF OUTPUT:
R2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.20.1      0   FULL/  -        00:00:33    10.10.10.2      Tunnel0

R2#sh ip ospf database

            OSPF Router with ID (192.168.10.1) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
192.168.10.1    192.168.10.1    781         0x80000007 0x008052 3
192.168.20.1    192.168.20.1    773         0x80000007 0x006D50 3

Packet capture between R1 and R2 (Unencrypted OSPF multicasts over the GRE tunnel):

Configuration with IPsec:

The topology and interface configuration remains the same, but we are adding the IPsec configuration:

ROUTER 2:

R2:
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key CISCO address 1.1.2.2
!
crypto ipsec transform-set TransportSet esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile CCNProfile
 set transform-set TransportSet


R2#sh run int tunnel0
interface Tunnel0
 ip address 10.10.10.1 255.255.255.252
 tunnel source 1.1.1.2
 tunnel destination 1.1.2.2
 tunnel protection ipsec profile CCNProfile
end

ROUTER 3:

R3:
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key CISCO address 1.1.1.2
!
crypto ipsec transform-set TransportSet esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile CCNProfile
 set transform-set TransportSet

R2#sh run int tunnel0
interface Tunnel0
 ip address 10.10.10.2 255.255.255.252
 tunnel source 1.1.2.2
 tunnel destination 1.1.1.2
 tunnel protection ipsec profile CCNProfile
end

R2#sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 1.1.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.1.1.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (1.1.2.2/255.255.255.255/47/0)
   current_peer 1.1.2.2 port 500
     PERMIT, flags={origin_is_acl,}


R2#sh crypto isakmp peers
Peer: 1.1.2.2 Port: 500 Local: 1.1.1.2
 Phase1 id: 1.1.2.2
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.2         1.1.2.2         QM_IDLE           1002    0 ACTIVE

IPv6 Crypto ISAKMP SA

R2#sh crypto isakmp peers
Peer: 1.1.2.2 Port: 500 Local: 1.1.1.2
 Phase1 id: 1.1.2.2

Packet capture between R1 and R2 (encrypted packets over the GRE tunnel):

Related Posts

About The Author

EQ

Add a Comment

Your email address will not be published. Required fields are marked *


CAPTCHA Image
Reload Image