{"id":486,"date":"2017-12-05T10:05:07","date_gmt":"2017-12-05T09:05:07","guid":{"rendered":"http:\/\/www.quisted.net\/?p=486"},"modified":"2017-12-05T10:05:07","modified_gmt":"2017-12-05T09:05:07","slug":"ospf-over-gre-with-ipsec","status":"publish","type":"post","link":"https:\/\/www.quisted.net\/index.php\/2017\/12\/05\/ospf-over-gre-with-ipsec\/","title":{"rendered":"LAB I ( OSPF over GRE with and without IPsec )"},"content":{"rendered":"<p><a href=\"http:\/\/vps.quisted.net\/wp-content\/uploads\/2017\/12\/topology.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-489 size-full\" src=\"http:\/\/vps.quisted.net\/wp-content\/uploads\/2017\/12\/topology.png\" alt=\"\" width=\"778\" height=\"465\" srcset=\"https:\/\/www.quisted.net\/wp-content\/uploads\/2017\/12\/topology.png 778w, https:\/\/www.quisted.net\/wp-content\/uploads\/2017\/12\/topology-300x179.png 300w, https:\/\/www.quisted.net\/wp-content\/uploads\/2017\/12\/topology-768x459.png 768w\" sizes=\"auto, (max-width: 778px) 100vw, 778px\" \/><\/a><\/p>\n<p>Setup:<\/p>\n<ul>\n<li>R1 functions as the internet.<\/li>\n<li>R2 is the first location with Public IP <strong>1.1.1.2\/30<\/strong><\/li>\n<li>R3 is the second location with Public IP <strong>1.1.2.2\/30<\/strong><\/li>\n<\/ul>\n<p>There must be a GRE tunnel configured between <strong>R2<\/strong> and <strong>R3 <\/strong>so that OSPF can be used between them. In the example we will use a tunnel with and without <strong>IPsec.<\/strong><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_80 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.quisted.net\/index.php\/2017\/12\/05\/ospf-over-gre-with-ipsec\/#Configuration_without_IPsec\" >Configuration without IPsec:<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.quisted.net\/index.php\/2017\/12\/05\/ospf-over-gre-with-ipsec\/#ROUTER_3\" >ROUTER 3:<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.quisted.net\/index.php\/2017\/12\/05\/ospf-over-gre-with-ipsec\/#Configuration_with_IPsec\" >Configuration with IPsec:<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.quisted.net\/index.php\/2017\/12\/05\/ospf-over-gre-with-ipsec\/#ROUTER_3-2\" >ROUTER 3:<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"Configuration_without_IPsec\"><\/span><span style=\"color: #3366ff;\">Configuration without IPsec:<\/span><span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p><strong>ROUTER 2:<\/strong><\/p>\n<pre>R2:\n\n<span style=\"color: #ff0000;\"><strong># WAN ADDRESS<\/strong><\/span>\ninterface FastEthernet0\/0\n<strong> ip address 1.1.1.2 255.255.255.0<\/strong>\n duplex auto\n speed auto\n!\n\n<span style=\"color: #ff0000;\"><strong># TUNNEL ADDRESS<\/strong><\/span>\ninterface Tunnel0\n<strong> ip address 10.10.10.1 255.255.255.252<\/strong>\n tunnel source 1.1.1.2\n tunnel destination 1.1.2.2\n!\n<span style=\"color: #ff0000;\"><strong>\n# LAN ADDRESS<\/strong><\/span>\ninterface Loopback0\n<strong> ip address 192.168.10.1 255.255.255.0<\/strong>\n!\n\n<strong><span style=\"color: #ff0000;\"># OSPF CONFIG<\/span><\/strong>\nrouter ospf 1\n log-adjacency-changes\n<strong> network 10.10.10.0 0.0.0.3 area 0\n network 192.168.10.0 0.0.0.255 area 0<\/strong>\n!\n\n<strong><span style=\"color: #ff0000;\"># DEFAULT ROUTE (TRAFFIC TOWARDS R3)<\/span><\/strong>\n<strong>ip route 0.0.0.0 0.0.0.0 1.1.1.1<\/strong><\/pre>\n<p><!--more--><\/p>\n<h3><span class=\"ez-toc-section\" id=\"ROUTER_3\"><\/span>ROUTER 3:<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre>R3:\n<span style=\"color: #ff0000;\"><strong># WAN ADDRESS<\/strong><\/span>\ninterface FastEthernet0\/0\n<strong> ip address 1.1.2.2 255.255.255.0<\/strong>\n duplex auto\n speed auto\n!\n\n<span style=\"color: #ff0000;\"><strong># TUNNEL ADDRESS<\/strong><\/span>\ninterface Tunnel0\n<strong> ip address 10.10.10.2 255.255.255.252<\/strong>\n tunnel source 1.1.2.2\n tunnel destination 1.1.1.2\n!\n<span style=\"color: #ff0000;\"><strong>\n# LAN ADDRESS<\/strong><\/span>\ninterface Loopback0\n<strong> ip address 192.168.20.1 255.255.255.0<\/strong>\n!\n\n<strong><span style=\"color: #ff0000;\"># OSPF CONFIG<\/span><\/strong>\nrouter ospf 1\n log-adjacency-changes\n<strong> network 10.10.10.0 0.0.0.3 area 0\n network 192.168.20.0 0.0.0.255 area 0<\/strong>\n!\n\n<strong><span style=\"color: #ff0000;\"># DEFAULT ROUTE (TRAFFIC TOWARDS R2)<\/span><\/strong>\n<strong>ip route 0.0.0.0 0.0.0.0 1.1.2.1<\/strong><\/pre>\n<pre><span style=\"color: #ff0000;\"><strong># INTERFACES OUTPUT<\/strong><\/span>\nR2#sh ip int brief\nInterface                  IP-Address      OK? Method Status                Protocol\nFastEthernet0\/0            1.1.1.2         YES NVRAM  up                    up\nFastEthernet0\/1            unassigned      YES NVRAM  administratively down down\nSerial1\/0                  unassigned      YES NVRAM  administratively down down\nSerial1\/1                  unassigned      YES NVRAM  administratively down down\nSerial1\/2                  unassigned      YES NVRAM  administratively down down\nSerial1\/3                  unassigned      YES NVRAM  administratively down down\nLoopback0                  192.168.10.1    YES NVRAM  up                    up\nTunnel0                    10.10.10.1      YES NVRAM  up                    up\n\n<span style=\"color: #ff0000;\"><strong>#ROUTE OUTPUT<\/strong><\/span>\nR2#sh ip route\nCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP\n       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area\n       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2\n       E1 - OSPF external type 1, E2 - OSPF external type 2\n       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2\n       ia - IS-IS inter area, * - candidate default, U - per-user static route\n       o - ODR, P - periodic downloaded static route\nGateway of last resort is 1.1.1.1 to network 0.0.0.0\n     1.0.0.0\/24 is subnetted, 1 subnets\nC       1.1.1.0 is directly connected, FastEthernet0\/0\nC    192.168.10.0\/24 is directly connected, Loopback0\n<strong><span style=\"color: #ff0000;\"># 192.168.20.0\/24 from R3 via OSPF over the tunnel:<\/span><\/strong>\n     192.168.20.0\/32 is subnetted, 1 subnets\n<strong><span style=\"color: #ff0000;\">O       192.168.20.1 [110\/11112] via 10.10.10.2, 00:33:45, Tunnel0<\/span><\/strong>\n     10.0.0.0\/30 is subnetted, 1 subnets\nC       10.10.10.0 is directly connected, Tunnel0\nS*   0.0.0.0\/0 [1\/0] via 1.1.1.1\n\n\n<span style=\"color: #ff0000;\"><strong>#OSPF OUTPUT:<\/strong><\/span>\n<strong>R2#sh ip ospf neighbor<\/strong>\n\nNeighbor ID     Pri   State           Dead Time   Address         Interface\n192.168.20.1      0   FULL\/  -        00:00:33    10.10.10.2      Tunnel0\n\n<strong>R2#sh ip ospf database<\/strong>\n\n            OSPF Router with ID (192.168.10.1) (Process ID 1)\n\n                Router Link States (Area 0)\n\nLink ID         ADV Router      Age         Seq#       Checksum Link count\n192.168.10.1    192.168.10.1    781         0x80000007 0x008052 3\n192.168.20.1    192.168.20.1    773         0x80000007 0x006D50 3\n\n\n<\/pre>\n<p>Packet capture between R1 and R2 <strong>(Unencrypted<\/strong> OSPF multicasts over the GRE tunnel):<\/p>\n<p><a href=\"http:\/\/vps.quisted.net\/wp-content\/uploads\/2017\/12\/gre-e1512464617497.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-487 size-large\" src=\"http:\/\/vps.quisted.net\/wp-content\/uploads\/2017\/12\/gre-e1512464617497-1024x609.png\" alt=\"\" width=\"625\" height=\"372\" srcset=\"https:\/\/www.quisted.net\/wp-content\/uploads\/2017\/12\/gre-e1512464617497-1024x609.png 1024w, https:\/\/www.quisted.net\/wp-content\/uploads\/2017\/12\/gre-e1512464617497-300x178.png 300w, https:\/\/www.quisted.net\/wp-content\/uploads\/2017\/12\/gre-e1512464617497-768x457.png 768w, https:\/\/www.quisted.net\/wp-content\/uploads\/2017\/12\/gre-e1512464617497.png 1920w\" sizes=\"auto, (max-width: 625px) 100vw, 625px\" \/><\/a><\/p>\n<h1><span class=\"ez-toc-section\" id=\"Configuration_with_IPsec\"><\/span><span style=\"color: #3366ff;\">Configuration with IPsec:<\/span><span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>The topology and interface configuration remains the same, but we are adding the IPsec configuration:<\/p>\n<p><strong>ROUTER 2:<\/strong><\/p>\n<pre>R2:\ncrypto isakmp policy 10\n authentication pre-share\ncrypto isakmp key CISCO address 1.1.2.2\n!\ncrypto ipsec transform-set <strong><span style=\"color: #3366ff;\">TransportSet<\/span><\/strong> esp-3des esp-sha-hmac\n mode transport\n!\ncrypto ipsec profile <strong><span style=\"color: #ff0000;\">CCNProfile\n<\/span><\/strong> set transform-set <span style=\"color: #3366ff;\"><strong>TransportSet<\/strong><\/span>\n\n\nR2#sh run int tunnel0\ninterface Tunnel0\n ip address 10.10.10.1 255.255.255.252\n tunnel source 1.1.1.2\n tunnel destination 1.1.2.2\n<strong><span style=\"color: #ff0000;\"> tunnel protection ipsec profile<\/span> <span style=\"color: #ff0000;\">CCNProfile<\/span><\/strong>\nend\n<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"ROUTER_3-2\"><\/span>ROUTER 3:<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre>R3:\ncrypto isakmp policy 10\n authentication pre-share\ncrypto isakmp key CISCO address 1.1.1.2\n!\ncrypto ipsec transform-set <span style=\"color: #3366ff;\"><strong>TransportSet<\/strong><\/span> esp-3des esp-sha-hmac\n mode transport\n!\ncrypto ipsec profile <span style=\"color: #ff0000;\"><strong>CCNProfile\n<\/strong><\/span> set transform-set <strong><span style=\"color: #3366ff;\">TransportSet<\/span>\n\nR2#sh<\/strong> run int tunnel0\ninterface Tunnel0\n ip address 10.10.10.2 255.255.255.252\n tunnel source 1.1.2.2\n tunnel destination 1.1.1.2\n<strong><span style=\"color: #ff0000;\"> tunnel protection ipsec profile<\/span> <span style=\"color: #ff0000;\">CCNProfile<\/span><\/strong>\nend\n<\/pre>\n<pre><strong>R2#sh crypto ipsec sa<\/strong>\n\ninterface: Tunnel0\n    Crypto map tag: Tunnel0-head-0, local addr 1.1.1.2\n\n   protected vrf: (none)\n<strong>   local  ident (addr\/mask\/prot\/port): (1.1.1.2\/255.255.255.255\/47\/0)\n   remote ident (addr\/mask\/prot\/port): (1.1.2.2\/255.255.255.255\/47\/0)<\/strong>\n   current_peer 1.1.2.2 port 500\n     PERMIT, flags={origin_is_acl,}\n\n\n<strong>R2#sh crypto isakmp peers<\/strong>\nPeer: 1.1.2.2 Port: 500 Local: 1.1.1.2\n Phase1 id: 1.1.2.2\nR2#sh crypto isakmp sa\nIPv4 Crypto ISAKMP SA\ndst             src             state          conn-id slot status\n1.1.1.2         1.1.2.2         QM_IDLE           1002    0 ACTIVE\n\nIPv6 Crypto ISAKMP SA\n\n<strong>R2#sh crypto isakmp peers<\/strong>\nPeer: 1.1.2.2 Port: 500 Local: 1.1.1.2\n Phase1 id: 1.1.2.2\n\n<\/pre>\n<p>Packet capture between R1 and R2 (<strong>encrypted<\/strong> packets over the GRE tunnel):<\/p>\n<p><a href=\"http:\/\/vps.quisted.net\/wp-content\/uploads\/2017\/12\/gre-ipsec-e1512465273314.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-488 size-large\" src=\"http:\/\/vps.quisted.net\/wp-content\/uploads\/2017\/12\/gre-ipsec-e1512465273314-1024x606.png\" alt=\"\" width=\"625\" height=\"370\" srcset=\"https:\/\/www.quisted.net\/wp-content\/uploads\/2017\/12\/gre-ipsec-e1512465273314-1024x606.png 1024w, https:\/\/www.quisted.net\/wp-content\/uploads\/2017\/12\/gre-ipsec-e1512465273314-300x178.png 300w, https:\/\/www.quisted.net\/wp-content\/uploads\/2017\/12\/gre-ipsec-e1512465273314-768x455.png 768w, https:\/\/www.quisted.net\/wp-content\/uploads\/2017\/12\/gre-ipsec-e1512465273314.png 1920w\" sizes=\"auto, (max-width: 625px) 100vw, 625px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Setup: R1 functions as the internet. R2 is the first location with Public IP 1.1.1.2\/30 R3 is the second location with Public IP 1.1.2.2\/30 There must be a GRE tunnel configured between R2 and R3 so that OSPF can be used between them. In the example we will use a tunnel with and without IPsec. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[6,14,8,11],"tags":[],"class_list":["post-486","post","type-post","status-publish","format-standard","hentry","category-labs","category-ospf","category-route","category-various"],"_links":{"self":[{"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/posts\/486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/comments?post=486"}],"version-history":[{"count":0,"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/posts\/486\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/media?parent=486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/categories?post=486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quisted.net\/index.php\/wp-json\/wp\/v2\/tags?post=486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}