16.1.5 Lab – Implement IPsec VTI Site-to-Site VPNs (Answers)
Topology
Addressing Table
Device | Interface | IPv4 Address | Default Gateway |
---|---|---|---|
R1 | G0/0/0 | 64.100.0.2/30 | N/A |
G0/0/1 | 10.10.0.1/29 | ||
Tunnel 1 | 172.16.1.1/30 | ||
R2 | G0/0/0 | 64.100.0.1/30 | N/A |
G0/0/1 | 64.100.1.1/30 | ||
Lo0 | 209.165.200.225 | ||
R3 | G0/0/0 | 64.100.1.2/30 | N/A |
G0/0/1 | 10.10.4.1/30 | ||
Tunnel 1 | 172.16.1.2/30 | ||
D1 | G1/0/11 | 10.10.0.2/29 | N/A |
G1/0/23 | 10.10.1.1/24 | ||
Lo2 | 10.10.2.1/24 | ||
Lo3 | 10.10.3.1/24 | ||
D3 | G1/0/11 | 10.10.0.3/29 | N/A |
G1/0/23 | 10.10.5.1/24 | ||
Lo16 | 10.10.16.1/24 | ||
Lo17 | 10.10.17.1/24 | ||
Lo18 | 10.10.18.1/24 | ||
Lo19 | 10.10.19.1/24 | ||
Lo20 | 10.10.20.1/24 | ||
Lo21 | 10.10.21.1/24 | ||
Lo22 | 10.10.22.1/24 | ||
Lo23 | 10.10.23.1/24 | ||
PC1 | NIC | 10.10.1.10/24 | 10.10.1.1 |
PC3 | NIC | 10.10.5.10/24 | 10.10.5.1 |
Objectives
- Part 1: Build the Network, Configure Basic Device Settings and Static Routing
- Part 2: Configure Static IPsec VTI on R1 and R3
- Part 3: Verify Static IPsec VTI on R1 and R3
Background / Scenario
IPsec can only send unicast IP traffic. Therefore, it does not support protocols that require multicast or broadcast communication such as routing protocols. Although GRE over IPsec can be configured to provide security and support for routing protocols, there is a newer more efficient method that can be used.
IPsec Virtual Tunnel Interface (VTI) greatly simplifies the VPN configuration process and provides a simpler alternative to using GRE tunnels for encapsulation and crypto maps with IPsec. Like GRE over IPsec, IPsec VTI allows for the flexibility of sending and receiving both IP unicast and multicast encrypted traffic. Traffic is encrypted or decrypted when it is forwarded from or to the tunnel interface and is managed by the IP routing table. Using the IP routing table simplifies the IPsec VPN configuration compared to the more complex process of using access control lists (ACLs) with the crypto map in native IPsec configurations. VTI over IPsec also encapsulates IPv4 or IPv6 traffic without the need for an additional GRE header. GRE adds a 4-byte header to every packet.
In this lab, you will build and configure a static VTI over IPsec with pre-shared key to enable a site-to-site VPN capable of supporting the OSPF routing protocol.
Note: This lab is an exercise in developing, deploying, and verifying how VNPs operate and does not reflect networking best practices.
Note: The routers used with this CCNP hands-on lab are Cisco 4221routers and the two Layer 3 switches are Catalyst 3650 switches. Other routers and Layer 3 switches and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs.
Note: Ensure that the routers and switches have been erased and have no startup configurations. If you are unsure contact your instructor.
Instructor Note: Refer to the Instructor Lab Manual for the procedures to initialize and reload devices.
Required Resources
- 3 Routers (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)
- 2 Switches (Cisco 3650 with Cisco IOS XE Release 16.9.4 universal image or comparable)
- 2 PCs (Choice of operating system with a terminal emulation program installed)
- Console cables to configure the Cisco IOS devices via the console ports
- Ethernet cables as shown in the topology
Instructions
Part 1: Build the Network, Configure Basic Device Settings and Static Routing
In Part 1, you will set up the network topology, configure basic settings, interface addressing, and single-area OSPFv2 on the routers.
Step 1: Cable the network as shown in the topology.
Attach the devices as shown in the topology diagram, and cable as necessary.
Step 2: Configure basic settings for the routers.
a. Console into each router and switch, enter global configuration mode, and apply the basic settings, and interface addressing. A command list for each device is provided for your reference.
Routing is enabled as follows:
- R2 has a static route to the networks connected to R1 (i.e., 10.10.0.0/22) and two static routes to the networks connected to R3 (i.e., 10.10.4.0/22, 10.10.16.0/21).
- R1 and R3 each have a default static route to R2.
- OSPFv2 routing is enabled between R1 and D1, and R1 is propagating the default route to D1.
- OSPFv2 routing is enabled between R3 and D3, and R3 is propagating the default route to D3.
- A command list for each device is listed below to perform initial configurations.
Router R1
hostname R1 no ip domain lookup line con 0 logging sync exec-time 0 0 exit banner motd # This is R1, Implement IPsec VTI Site-to-Site VPNs # interface g0/0/0 description Connection to R2 ip add 64.100.0.2 255.255.255.252 no shut exit interface GigabitEthernet0/0/1 description Connection to D1 ip address 10.10.0.1 255.255.255.252 no shut exit router ospf 123 router-id 1.1.1.1 auto-cost reference-bandwidth 1000 network 10.10.0.0 0.0.0.3 area 0 default-information originate exit ip route 0.0.0.0 0.0.0.0 64.100.0.1
Router R2
hostname R2 no ip domain lookup line con 0 logging sync exec-time 0 0 exit banner motd # This is R2, Implement IPsec VTI Site-to-Site VPNs # interface g0/0/0 description Connection to R1 ip add 64.100.0.1 255.255.255.252 no shut exit interface GigabitEthernet0/0/1 description Connection to R3 ip address 64.100.1.1 255.255.255.252 no shut exit int lo0 description Internet simulated address ip add 209.165.200.225 255.255.255.224 exit ip route 0.0.0.0 0.0.0.0 Loopback0 ip route 10.10.0.0 255.255.252.0 64.100.0.2 ip route 10.10.4.0 255.255.252.0 64.100.1.2 ip route 10.10.16.0 255.255.248.0 64.100.1.2
Router R3
hostname R3 no ip domain lookup line con 0 logging sync exec-time 0 0 exit banner motd # This is R3, Implement IPsec VTI Site-to-Site VPNs # interface g0/0/0 description Connection to R2 ip add 64.100.1.2 255.255.255.252 no shut exit interface GigabitEthernet0/0/1 description Connection to D3 ip address 10.10.4.1 255.255.255.252 no shut exit ip route 0.0.0.0 0.0.0.0 64.100.1.1 router ospf 123 router-id 3.3.3.1 auto-cost reference-bandwidth 1000 network 10.10.4.0 0.0.0.3 area 0 default-information originate exit
Switch D1
hostname D1 no ip domain lookup line con 0 exec-timeout 0 0 logging synchronous exit banner motd # This is D1, Implement IPsec VTI Site-to-Site VPNs # interface G1/0/11 description Connection to R1 no switchport ip address 10.10.0.2 255.255.255.252 no shut exit interface G1/0/23 description Connection to PC1 no switchport ip address 10.10.1.1 255.255.255.0 no shut exit int Lo2 description Loopback to simulate an OSPF network ip add 10.10.2.1 255.255.255.0 ip ospf network point-to-point exit int Lo3 description Loopback to simulate an OSPF network ip add 10.10.3.1 255.255.255.0 ip ospf network point-to-point exit ip routing router ospf 123 router-id 1.1.1.2 auto-cost reference-bandwidth 1000 network 10.10.0.0 0.0.3.255 area 0 exit int range G1/0/1 - 10, G1/0/12 - 22, G1/0/24 shut exit
Switch D3
hostname D3 no ip domain lookup line con 0 logging sync exec-time 0 0 exit banner motd # This is D3, Implement IPsec VTI Site-to-Site VPNs # interface G1/0/11 description Connection to R3 no switchport ip address 10.10.4.2 255.255.255.252 no shut exit interface G1/0/23 description Connection to PC3 no switchport ip address 10.10.5.1 255.255.255.0 no shut exit int Lo16 description Loopback to simulate an OSPF network ip add 10.10.16.1 255.255.255.0 ip ospf network point-to-point exit int Lo17 description Loopback to simulate an OSPF network ip add 10.10.17.1 255.255.255.0 ip ospf network point-to-point exit int Lo18 description Loopback to simulate an OSPF network ip add 10.10.18.1 255.255.255.0 ip ospf network point-to-point exit int Lo19 description Loopback to simulate an OSPF network ip add 10.10.19.1 255.255.255.0 ip ospf network point-to-point exit int Lo20 description Loopback to simulate an OSPF network ip add 10.10.20.1 255.255.255.0 ip ospf network point-to-point exit int Lo21 description Loopback to simulate an OSPF network ip add 10.10.21.1 255.255.255.0 ip ospf network point-to-point exit int Lo22 description Loopback to simulate an OSPF network ip add 10.10.22.1 255.255.255.0 ip ospf network point-to-point exit int Lo23 description Loopback to simulate an OSPF network ip add 10.10.23.1 255.255.255.0 ip ospf network point-to-point exit ip routing router ospf 123 router-id 3.3.3.2 auto-cost reference-bandwidth 1000 network 10.10.4.0 0.0.1.255 area 0 network 10.10.16.0 0.0.7.255 area 0 exit int range G1/0/1 - 10, G1/0/12 - 22, G1/0/24 shut
b. Save the running configuration to startup-config.
Step 3: Configure PC1 and PC3 with IP addressing.
Configure the two PCs with the IP addresses listed in the Address Table. Also configure their respective default gateways.
Step 4: On PC1, verify end-to-end connectivity.
a. From PC1, ping
PC3 (10.10.5.10).
PC1> ping 10.10.5.10 Pinging 10.10.5.10 with 32 bytes of data: Reply from 10.10.5.10: bytes=32 time=1ms TTL=123 Reply from 10.10.5.10: bytes=32 time=1ms TTL=123 Reply from 10.10.5.10: bytes=32 time=1ms TTL=123 Reply from 10.10.5.10: bytes=32 time=1ms TTL=123 Ping statistics for 10.10.5.10: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms
The pings should be successful. If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.
b. From PC1, ping
the first loopback on D3 (10.10.16.1).
PC1> ping 10.10.16.1 Pinging 10.10.16.1 with 32 bytes of data: Reply from 10.10.16.1: bytes=32 time=2ms TTL=250 Reply from 10.10.16.1: bytes=32 time=2ms TTL=250 Reply from 10.10.16.1: bytes=32 time=2ms TTL=250 Reply from 10.10.16.1: bytes=32 time=2ms TTL=250 Ping statistics for 10.10.16.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 2ms, Average = 2ms
The pings should be successful. If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.
c. From PC1, ping
the default gateway loopback on R2 (209.165.200.225).
PC1> ping 209.165.200.225 Pinging 209.165.200.225 with 32 bytes of data: Reply from 209.165.200.225: bytes=32 time=1ms TTL=253 Reply from 209.165.200.225: bytes=32 time=1ms TTL=253 Reply from 209.165.200.225: bytes=32 time=1ms TTL=253 Reply from 209.165.200.225: bytes=32 time=1ms TTL=253 Ping statistics for 209.165.200.225: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms
The pings should be successful. If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.
Step 5: Verify the routing table of R1.
a. Verify the OSPF routing table of R1.
R1# show ip route ospf | begin Gateway Gateway of last resort is 64.100.0.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks O 10.10.1.0/24 [110/11] via 10.10.0.2, 00:29:03, GigabitEthernet0/0/1 O 10.10.2.0/24 [110/2] via 10.10.0.2, 00:29:03, GigabitEthernet0/0/1 O 10.10.3.0/24 [110/2] via 10.10.0.2, 00:29:03, GigabitEthernet0/0/1
The routing table confirms that R1 has knowledge of the networks connected to D1. Notice that R1 has no knowledge of the routes connected to the R3 OSPF domain. The reason why PC1 can still reach PC3 is because R1 has a default static route to R2. R1 forwarded the traffic to R2 because it did not know where the 10.10.5.0 network was. R2 has a static route to this network and therefore forwarded it to R3.
b. Verify the routing table of R3.
R3# show ip route ospf | begin Gateway Gateway of last resort is 64.100.1.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 11 subnets, 3 masks O 10.10.5.0/24 [110/11] via 10.10.4.2, 00:00:41, GigabitEthernet0/0/1 O 10.10.16.0/24 [110/2] via 10.10.4.2, 00:00:41, GigabitEthernet0/0/1 O 10.10.17.0/24 [110/2] via 10.10.4.2, 00:00:41, GigabitEthernet0/0/1 O 10.10.18.0/24 [110/2] via 10.10.4.2, 00:00:41, GigabitEthernet0/0/1 O 10.10.19.0/24 [110/2] via 10.10.4.2, 00:00:41, GigabitEthernet0/0/1 O 10.10.20.0/24 [110/2] via 10.10.4.2, 00:00:41, GigabitEthernet0/0/1 O 10.10.21.0/24 [110/2] via 10.10.4.2, 00:00:41, GigabitEthernet0/0/1 O 10.10.22.0/24 [110/2] via 10.10.4.2, 00:00:41, GigabitEthernet0/0/1 O 10.10.23.0/24 [110/2] via 10.10.4.2, 00:00:41, GigabitEthernet0/0/1
Like R1, the routing table of R3 only contains its local routes.
Part 2: Configure Static IPsec VTI on R1 and R3
A limitation of IPsec VPNs is that it only forwards unicast traffic across the VPN tunnel. Therefore, routing protocol traffic is not propagated across the VPN tunnel.
GRE over IPsec VPN could be configured to support routing protocol traffic over the IPsec VPN. However, IP VTI is simpler and more efficient than GRE over IPsec.
IPsec VTI can be configured using:
- Static VTIs (SVTIs) – SVTI configurations can be used for site-to-site connectivity in which a tunnel provides always-on access between two sites. The advantage of using SVTIs as opposed to crypto map configurations is that users can enable dynamic routing protocols on the tunnel interface without the extra 4 bytes required for GRE headers, therefore reducing the bandwidth for sending encrypted data.
- Dynamic VTIs (DVTIs) – DVTIs can provide highly secure and scalable connectivity for remote-access VPNs. The DVTI technology replaces dynamic crypto maps and the dynamic hub-and-spoke method for establishing tunnels.
The steps to enable IPsec VTI are very similar to GRE over IPsec except:
- Step 1. The tunnel interface is configured with the
tunnel mode ipsec {ipv4 | ipv6}
command. - Step 2. The transform set is configured with the mode tunnel command. An ACL is not required.
Like site-to-site VPNs using crypto maps and GRE over IPsec using crypto maps, IPsec VTI also requires the following:
- ISAKMP policy configuration and pre-shared key configured
- Transform set configured
- IPsec profile configured
In this part, you will configure a static IPsec SVTI to provide an always on site-to-site VPN as shown in the topology diagram.
Step 1: On R1 and R3, configure the ISAKMP policy and pre-shared key.
In this lab, we will use the following parameters for the ISAKMP policy 10 on R1 and R3:
- Encryption: aes 256
- Hash: sha256
- Authentication method: pre-share key
- Diffie-Hellman group: 14
- Lifetime: 3600 seconds (60 minutes / 1 hour)
a. Configure ISAKMP policy 10 on R1 and R3.
R1(config)# crypto isakmp policy 10 R1(config-isakmp)# encryption aes 256 R1(config-isakmp)# hash sha256 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 14 R1(config-isakmp)# lifetime 3600 R1(config-isakmp)# exit R3(config)# crypto isakmp policy 10 R3(config-isakmp)# encryption aes 256 R3(config-isakmp)# hash sha256 R3(config-isakmp)# authentication pre-share R3(config-isakmp)# group 14 R3(config-isakmp)# lifetime 3600 R3(config-isakmp)# exit
b. Configure the pre-shared key of cisco123 on R1 and R3.
Note: Production networks should use longer and more complex keys.
R1(config)# crypto isakmp key cisco123 address 64.100.1.2 R3(config)# crypto isakmp key cisco123 address 64.100.0.2
Step 2: On R1 and R3, configure the transform set and tunnel mode.
Create a new transform set called VTI-VPN using ESP AES 256 for encryption and ESP SHA256 HMAC for authentication and set the mode to tunnel.
Note: The transform set would default to tunnel mode automatically but is configured in the example for emphasis.
R1(config)# crypto ipsec transform-set VTI-VPN esp-aes 256 esp-sha256-hmac R1(cfg-crypto-trans)# mode tunnel R1(cfg-crypto-trans)# exit R3(config)# crypto ipsec transform-set VTI-VPN esp-aes 256 esp-sha256-hmac R3(cfg-crypto-trans)# mode tunnel R3(cfg-crypto-trans)# exit
Step 3: On R1 and R3, configure VTI over IPsec using IPsec profiles.
Configure an IPsec profile called VTI-PROFILE using the crypto ipsec profile ipsec-profile-name
global configuration command and set the transform set to VTI-VPN.
R1(config)# crypto ipsec profile VTI-PROFILE R1(ipsec-profile)# set transform-set VTI-VPN R1(ipsec-profile)# exit R3(config)# crypto ipsec profile VTI-PROFILE R3(ipsec-profile)# set transform-set VTI-VPN R3(ipsec-profile)# exit
Step 4: On R1, configure the tunnel interface.
a. Next, configure a tunnel interface on R1.
open configuration window R1(config)# interface Tunnel1 R1(config-if)# bandwidth 4000 R1(config-if)# ip address 172.16.1.1 255.255.255.252 R1(config-if)# ip mtu 1400 R1(config-if)# tunnel source 64.100.0.2 R1(config-if)# tunnel destination 64.100.1.2 R1(config-if)# *Jan 21 12:31:13.824: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
b. Tunnel interfaces default to tunnel mode gre
mode. However, we must now change the tunnel mode from the default GRE setting to the IPsec setting. Configure Tunnel 1 using the tunnel mode ipsec ipv4
command.
R1(config-if)# tunnel mode ipsec ipv4 R1(config-if)# *Jan 21 12:32:15.047: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
c. Next, the IPsec profile VTI-PROFILE must be applied using the tunnel protection ipsec profile profile-name
command.
R1(config-if)# tunnel protection ipsec profile VTI-PROFILE R1(config-if)# *Jan 21 12:32:50.103: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config-if)# exit
Notice the informational message that the ISAKMP policy will be used.
Step 5: On R3, configure the tunnel interface.
Now we must mirror the configuration of R1 on R3.
a. Next, configure a GRE tunnel interface on R3.
R3(config)# interface Tunnel1 R3(config-if)# bandwidth 4000 R3(config-if)# ip address 172.16.1.2 255.255.255.252 R3(config-if)# ip mtu 1400 R3(config-if)# tunnel source 64.100.1.2 *Feb 20 12:53:14.367: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down R3(config-if)# tunnel destination 64.100.0.2 R3(config-if)# *Feb 20 12:53:16.683: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
Notice the information messages indicating the line going down and then up.
b. Tunnel 1 must be configured using the tunnel mode ipsec ipv4
command.
R3(config-if)# tunnel mode ipsec ipv4 R3(config-if)# *Feb 20 12:53:45.931: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
Again, the Tunnel 1 interface goes down.
c. Finally, the IPsec profile VTI-PROFILE must be applied using the tunnel protection ipsec profile profile-name
command.
R3(config-if)# tunnel protection ipsec profile VTI-PROFILE R3(config-if)# *Feb 20 12:54:05.111: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R3(config-if)# *Feb 20 12:54:05.381: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up R3(config-if)# exit
Notice the informational message that the ISAKMP policy will be used and that the Tunnel 1 interface is up.
Step 6: On R1 and R3, advertise the tunnel interface in OSPF.
a. On R1, configure OSPF to advertise the tunnel interfaces.
R1(config)# router ospf 123 R1(config-router)# network 172.16.1.0 0.0.0.3 area 0 R1(config-router)# end
b. Next on R3, configure OSPF to advertise the tunnel interfaces.
R3(config)# router ospf 123 R3(config-router)# network 172.16.1.0 0.0.0.3 area 0 R3(config-router)# exit R3(config)# *Feb 20 13:09:48.456: %OSPF-5-ADJCHG: Process 123, Nbr 1.1.1.1 on Tunnel1 from LOADING to FULL, Loading Done R3(config)# exit
Notice the OSPF adjacency message that appears when the network command is entered.
Part 3: Verify Static IPsec VTI on R1 and R3
Now that the IPsec has been configured, we must verify that the tunnel interfaces are correctly enabled, that the crypto session is active, and then generate traffic to confirm it is traversing securely over the IPsec VTI tunnel.
Step 1: On R1 and R3, verify the tunnel interfaces.
a. Use the show interfaces tunnel 1
command to verify the interface settings.
R1# show interfaces tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel Internet address is 172.16.1.1/30 MTU 9938 bytes, BW 4000 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel linestate evaluation up Tunnel source 64.100.0.2, destination 64.100.1.2 Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Tunnel transport MTU 1438 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "VTI-PROFILE") Last input 00:00:07, output 00:00:08, output hang never Last clearing of "show interface" counters 00:32:55 Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 20 packets input, 2368 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 23 packets output, 2424 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out
Notice the highlighted output identifying various aspects of the tunnel interface.
b. On R3, use the show interfaces tunnel 1
command to verify the interface settings.
R3# show interface tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel Internet address is 172.16.1.2/30 MTU 9938 bytes, BW 4000 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel linestate evaluation up Tunnel source 64.100.1.2, destination 64.100.0.2 Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Tunnel transport MTU 1438 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "VTI-PROFILE") Last input 00:00:03, output 00:00:09, output hang never Last clearing of "show interface" counters 00:24:32 Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 62 packets input, 6324 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 58 packets output, 6168 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out
Again, the highlighted output identifies various aspects of the tunnel interface.
Step 2: On R1 and R3, verify the crypto settings.
a. On R1, use the show crypto session
command to verify the operation of the VPN tunnel.
R1# show crypto session Crypto session current status Interface: Tunnel1 Session status: UP-ACTIVE Peer: 64.100.1.2 port 500 Session ID: 0 IKEv1 SA: local 64.100.0.2/500 remote 64.100.1.2/500 Active Session ID: 0 IKEv1 SA: local 64.100.0.2/500 remote 64.100.1.2/500 Active IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 4, origin: crypto map
The output confirms that Tunnel 1 is up and active with R3 (64.100.1.2). The port 500 refers to ISAKMP using UDP port 500.
b. On R3, use the show crypto session
command to verify the operation of the VPN tunnel.
R3# show crypto session Crypto session current status Interface: Tunnel1 Session status: UP-ACTIVE Peer: 64.100.0.2 port 500 Session ID: 0 IKEv1 SA: local 64.100.1.2/500 remote 64.100.0.2/500 Active Session ID: 0 IKEv1 SA: local 64.100.1.2/500 remote 64.100.0.2/500 Active IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 4, origin: crypto map
Step 3: On R1 and R3, verify the routing tables.
a. Verify the R1 routing table for OSPF routes.
R1# show ip route ospf | begin Gateway Gateway of last resort is 64.100.0.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 15 subnets, 3 masks O 10.10.1.0/24 [110/11] via 10.10.0.2, 01:28:00, GigabitEthernet0/0/1 O 10.10.2.0/24 [110/2] via 10.10.0.2, 01:28:00, GigabitEthernet0/0/1 O 10.10.3.0/24 [110/2] via 10.10.0.2, 01:28:00, GigabitEthernet0/0/1 O 10.10.4.0/30 [110/251] via 172.16.1.2, 00:20:31, Tunnel1 O 10.10.5.0/24 [110/261] via 172.16.1.2, 00:20:31, Tunnel1 O 10.10.16.0/24 [110/252] via 172.16.1.2, 00:20:31, Tunnel1 O 10.10.17.0/24 [110/252] via 172.16.1.2, 00:20:31, Tunnel1 O 10.10.18.0/24 [110/252] via 172.16.1.2, 00:20:31, Tunnel1 O 10.10.19.0/24 [110/252] via 172.16.1.2, 00:20:31, Tunnel1 O 10.10.20.0/24 [110/252] via 172.16.1.2, 00:20:31, Tunnel1 O 10.10.21.0/24 [110/252] via 172.16.1.2, 00:20:31, Tunnel1 O 10.10.22.0/24 [110/252] via 172.16.1.2, 00:20:31, Tunnel1 O 10.10.23.0/24 [110/252] via 172.16.1.2, 00:20:31, Tunnel1
Notice how R1 has learned about the R3 OSPF networks via the tunnel interface.
b. Verify the R3 routing table for OSPF routes.
R3# show ip route ospf | begin Gateway Gateway of last resort is 64.100.1.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 15 subnets, 3 masks O 10.10.0.0/30 [110/251] via 172.16.1.1, 00:22:10, Tunnel1 O 10.10.1.0/24 [110/261] via 172.16.1.1, 00:22:10, Tunnel1 O 10.10.2.0/24 [110/252] via 172.16.1.1, 00:22:10, Tunnel1 O 10.10.3.0/24 [110/252] via 172.16.1.1, 00:22:10, Tunnel1 O 10.10.5.0/24 [110/11] via 10.10.4.2, 01:28:53, GigabitEthernet0/0/1 O 10.10.16.0/24 [110/2] via 10.10.4.2, 01:28:53, GigabitEthernet0/0/1 O 10.10.17.0/24 [110/2] via 10.10.4.2, 01:28:53, GigabitEthernet0/0/1 O 10.10.18.0/24 [110/2] via 10.10.4.2, 01:28:53, GigabitEthernet0/0/1 O 10.10.19.0/24 [110/2] via 10.10.4.2, 01:28:53, GigabitEthernet0/0/1 O 10.10.20.0/24 [110/2] via 10.10.4.2, 01:28:53, GigabitEthernet0/0/1 O 10.10.21.0/24 [110/2] via 10.10.4.2, 01:28:53, GigabitEthernet0/0/1 O 10.10.22.0/24 [110/2] via 10.10.4.2, 01:28:53, GigabitEthernet0/0/1 O 10.10.23.0/24 [110/2] via 10.10.4.2, 01:28:53, GigabitEthernet0/0/1
Notice how R3 has learned about the R1 OSPF networks via the tunnel interface.
c. From D1, trace the path taken to the R3 10.10.5.1 interface.
D1# trace 10.10.5.1 Type escape sequence to abort. Tracing the route to 10.10.5.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.10.0.1 2 msec 2 msec 2 msec 2 172.16.1.2 3 msec 2 msec 3 msec 3 10.10.4.2 3 msec * 4 msec
Notice how the path taken is through the VPN tunnel interface.
d. On R1, verify the IPsec SA encrypted and decrypted statistics.
R1# show crypto ipsec sa | include encrypt|decrypt #pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28 #pkts decaps: 26, #pkts decrypt: 26, #pkts verify: 26
e. Verify that there is an operational logical point-to-point link between R1 and R3 using the VTI tunnel interface.
R1# show ip route 172.16.0.0 Routing entry for 172.16.0.0/16, 2 known subnets Attached (2 connections) Variably subnetted with 2 masks C 172.16.1.0/30 is directly connected, Tunnel1 L 172.16.1.1/32 is directly connected, Tunnel1 close configuration window open configuration window R3# show ip route 172.16.0.0 Routing entry for 172.16.0.0/16, 2 known subnets Attached (2 connections) Variably subnetted with 2 masks C 172.16.1.0/30 is directly connected, Tunnel1 L 172.16.1.2/32 is directly connected, Tunnel1
Step 4: Test the IPsec VTI tunnel.
a. From D1, trace the path taken to the R3 10.10.16.1 interface.
D1# trace 10.10.16.1 Type escape sequence to abort. Tracing the route to 10.10.16.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.10.0.1 0 msec 0 msec 9 msec 2 172.16.1.2 0 msec 0 msec 0 msec 3 10.10.4.2 8 msec * 0 msec
Notice now that the path taken is through the VPN tunnel interface.
b. On R1, verify the IPsec SA encrypted and decrypted statistics.
R1# show crypto ipsec sa | include encrypt|decrypt #pkts encaps: 230, #pkts encrypt: 230, #pkts digest: 230 #pkts decaps: 200, #pkts decrypt: 200, #pkts verify: 200
The output verifies that the IPsec VTI is properly encrypting traffic between both sites. The packets encrypted include the trace packets along with OSPF packets.
Router Interface Summary Table
Router Model | Ethernet Interface #1 | Ethernet Interface #2 | Serial Interface #1 | Serial Interface #2 |
---|---|---|---|---|
1800 | Fast Ethernet 0/0 (F0/0) | Fast Ethernet 0/1 (F0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
1900 | Gigabit Ethernet 0/0 (G0/0) | Gigabit Ethernet 0/1 (G0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
2801 | Fast Ethernet 0/0 (F0/0) | Fast Ethernet 0/1 (F0/1) | Serial 0/1/0 (S0/1/0) | Serial 0/1/1 (S0/1/1) |
2811 | Fast Ethernet 0/0 (F0/0) | Fast Ethernet 0/1 (F0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
2900 | Gigabit Ethernet 0/0 (G0/0) | Gigabit Ethernet 0/1 (G0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
4221 | Gigabit Ethernet 0/0/0 (G0/0/0) | Gigabit Ethernet 0/0/1 (G0/0/1) | Serial 0/1/0 (S0/1/0) | Serial 0/1/1 (S0/1/1) |
4300 | Gigabit Ethernet 0/0/0 (G0/0/0) | Gigabit Ethernet 0/0/1 (G0/0/1) | Serial 0/1/0 (S0/1/0) | Serial 0/1/1 (S0/1/1) |
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.
Device Configs – Final
Router R1
R1# show run Building configuration... Current configuration : 2005 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname R1 ! boot-start-marker boot-end-marker ! no aaa new-model ! no ip domain lookup ! login on-success log ! subscriber templating ! multilink bundle-name authenticated ! license udi pid ISR4221/K9 sn FGL23313183 no license smart enable diagnostic bootup level minimal ! spanning-tree extend system-id ! redundancy mode none ! crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 14 lifetime 3600 crypto isakmp key cisco123 address 64.100.1.2 ! crypto ipsec transform-set VTI-VPN esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile VTI-PROFILE set transform-set VTI-VPN ! interface Tunnel1 bandwidth 4000 ip address 172.16.1.1 255.255.255.252 ip mtu 1400 tunnel source 64.100.0.2 tunnel mode ipsec ipv4 tunnel destination 64.100.1.2 tunnel protection ipsec profile VTI-PROFILE ! interface GigabitEthernet0/0/0 description Connection to R2 ip address 64.100.0.2 255.255.255.252 negotiation auto ! interface GigabitEthernet0/0/1 description Connection to D1 ip address 10.10.0.1 255.255.255.252 negotiation auto ! interface Serial0/1/0 no ip address ! interface Serial0/1/1 no ip address ! router ospf 123 router-id 1.1.1.1 auto-cost reference-bandwidth 1000 network 10.10.0.0 0.0.0.3 area 0 network 172.16.1.0 0.0.0.3 area 0 default-information originate ! ip forward-protocol nd no ip http server ip http secure-server ip route 0.0.0.0 0.0.0.0 64.100.0.1 ! control-plane ! banner motd ^C This is R1, Implement IPsec VTI Site-to-Site VPNs ^C ! line con 0 exec-timeout 0 0 logging synchronous transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! end
Router R2
R2# show run Building configuration... Current configuration : 1482 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname R2 ! boot-start-marker boot-end-marker ! no aaa new-model ! no ip domain lookup ! login on-success log ! subscriber templating ! multilink bundle-name authenticated ! license udi pid ISR4221/K9 sn FGL23313182 no license smart enable diagnostic bootup level minimal ! spanning-tree extend system-id ! redundancy mode none ! interface Loopback0 description Internet simulated address ip address 209.165.200.225 255.255.255.224 ! interface GigabitEthernet0/0/0 description Connection to R1 ip address 64.100.0.1 255.255.255.252 negotiation auto ! interface GigabitEthernet0/0/1 description Connection to R3 ip address 64.100.1.1 255.255.255.252 negotiation auto ! ip forward-protocol nd no ip http server ip http secure-server ip route 0.0.0.0 0.0.0.0 Loopback0 ip route 10.10.0.0 255.255.252.0 64.100.0.2 ip route 10.10.4.0 255.255.252.0 64.100.1.2 ip route 10.10.16.0 255.255.248.0 64.100.1.2 ! control-plane ! banner motd ^C This is R2, Implement IPsec VTI Site-to-Site VPNs ^C ! line con 0 exec-timeout 0 0 logging synchronous transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! end
Router R3
R3# show run Building configuration... Current configuration : 2005 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname R3 ! boot-start-marker boot-end-marker ! no aaa new-model ! no ip domain lookup ! login on-success log ! subscriber templating ! multilink bundle-name authenticated ! license udi pid ISR4221/K9 sn FGL23313186 no license smart enable diagnostic bootup level minimal ! spanning-tree extend system-id ! redundancy mode none ! crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 14 lifetime 3600 crypto isakmp key cisco123 address 64.100.0.2 ! crypto ipsec transform-set VTI-VPN esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile VTI-PROFILE set transform-set VTI-VPN ! interface Tunnel1 bandwidth 4000 ip address 172.16.1.2 255.255.255.252 ip mtu 1400 tunnel source 64.100.1.2 tunnel mode ipsec ipv4 tunnel destination 64.100.0.2 tunnel protection ipsec profile VTI-PROFILE ! interface GigabitEthernet0/0/0 description Connection to R2 ip address 64.100.1.2 255.255.255.252 negotiation auto ! interface GigabitEthernet0/0/1 description Connection to D3 ip address 10.10.4.1 255.255.255.252 negotiation auto ! interface Serial0/1/0 no ip address ! interface Serial0/1/1 no ip address ! router ospf 123 router-id 3.3.3.1 auto-cost reference-bandwidth 1000 network 10.10.4.0 0.0.0.3 area 0 network 172.16.1.0 0.0.0.3 area 0 default-information originate ! ip forward-protocol nd no ip http server ip http secure-server ip route 0.0.0.0 0.0.0.0 64.100.1.1 ! control-plane ! banner motd ^C This is R3, Implement IPsec VTI Site-to-Site VPNs ^C ! line con 0 exec-timeout 0 0 logging synchronous transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! end
Switch D1
D1# show run Building configuration... Current configuration : 7035 bytes ! version 16.9 no service pad service timestamps debug datetime msec service timestamps log datetime msec ! Call-home is enabled by Smart-Licensing. service call-home no platform punt-keepalive disable-kernel-core ! hostname D1 ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! no aaa new-model switch 1 provision ws-c3650-24ps ! call-home ! If contact email address in call-home is configured as [email protected] ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr [email protected] profile "CiscoTAC-1" active destination transport-method http no destination transport-method email ip routing ! no ip domain lookup ! login on-success log ! crypto pki trustpoint SLA-TrustPoint enrollment pkcs12 revocation-check crl ! crypto pki certificate chain SLA-TrustPoint certificate ca 01 30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030 32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934 3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720 526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520 1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE 4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC 7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188 68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7 C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191 C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44 DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201 06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85 4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500 03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905 604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8 467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C 7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B 5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678 80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB 418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0 D697DF7F 28 quit ! license boot level ipservicesk9 ! diagnostic bootup level minimal ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! redundancy mode sso ! transceiver type all monitoring ! class-map match-any system-cpp-police-topology-control description Topology control class-map match-any system-cpp-police-sw-forward description Sw forwarding, L2 LVX data, LOGGING class-map match-any system-cpp-default description Inter FED, EWLC control, EWLC data class-map match-any system-cpp-police-sys-data description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFLSAMPLED DATA, RPF Failed class-map match-any system-cpp-police-punt-webauth description Punt Webauth class-map match-any system-cpp-police-l2lvx-control description L2 LVX control packets class-map match-any system-cpp-police-forus description Forus Address resolution and Forus traffic class-map match-any system-cpp-police-multicast-end-station description MCAST END STATION class-map match-any system-cpp-police-multicast description Transit Traffic and MCAST Data class-map match-any system-cpp-police-l2-control description L2 control class-map match-any system-cpp-police-dot1x-auth description DOT1X Auth class-map match-any system-cpp-police-data description ICMP redirect, ICMP_GEN and BROADCAST class-map match-any system-cpp-police-stackwise-virt-control description Stackwise Virtual class-map match-any non-client-nrt-class class-map match-any system-cpp-police-routing-control description Routing control and Low Latency class-map match-any system-cpp-police-protocol-snooping description Protocol snooping class-map match-any system-cpp-police-dhcp-snooping description DHCP snooping class-map match-any system-cpp-police-system-critical description System Critical and Gold Pkt ! policy-map system-cpp-policy ! interface Loopback2 description Loopback to simulate an OSPF network ip address 10.10.2.1 255.255.255.0 ip ospf network point-to-point ! interface Loopback3 description Loopback to simulate an OSPF network ip address 10.10.3.1 255.255.255.0 ip ospf network point-to-point ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 shutdown ! interface GigabitEthernet1/0/2 shutdown ! interface GigabitEthernet1/0/3 shutdown ! interface GigabitEthernet1/0/4 shutdown ! interface GigabitEthernet1/0/5 shutdown ! interface GigabitEthernet1/0/6 shutdown ! interface GigabitEthernet1/0/7 shutdown ! interface GigabitEthernet1/0/8 shutdown ! interface GigabitEthernet1/0/9 shutdown ! interface GigabitEthernet1/0/10 shutdown ! interface GigabitEthernet1/0/11 description Connection to R1 no switchport ip address 10.10.0.2 255.255.255.252 ! interface GigabitEthernet1/0/12 shutdown ! interface GigabitEthernet1/0/13 shutdown ! interface GigabitEthernet1/0/14 shutdown ! interface GigabitEthernet1/0/15 shutdown ! interface GigabitEthernet1/0/16 shutdown ! interface GigabitEthernet1/0/17 shutdown ! interface GigabitEthernet1/0/18 shutdown ! interface GigabitEthernet1/0/19 shutdown ! interface GigabitEthernet1/0/20 shutdown ! interface GigabitEthernet1/0/21 shutdown ! interface GigabitEthernet1/0/22 shutdown ! interface GigabitEthernet1/0/23 description Connection to PC1 no switchport ip address 10.10.1.1 255.255.255.0 ! interface GigabitEthernet1/0/24 shutdown ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface Vlan1 no ip address ! router ospf 123 router-id 1.1.1.2 auto-cost reference-bandwidth 1000 network 10.10.0.0 0.0.3.255 area 0 ! ip forward-protocol nd ip http server ip http secure-server ! control-plane service-policy input system-cpp-policy ! banner motd ^C This is D1, Implement IPsec VTI Site-to-Site VPNs ^C ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 login line vty 5 15 login ! end
Switch D3
D3# show run Building configuration... Current configuration : 7928 bytes ! version 16.9 no service pad service timestamps debug datetime msec service timestamps log datetime msec ! Call-home is enabled by Smart-Licensing. service call-home no platform punt-keepalive disable-kernel-core ! hostname D3 ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! no aaa new-model switch 1 provision ws-c3650-24ps ! call-home ! If contact email address in call-home is configured as [email protected] ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr [email protected] profile "CiscoTAC-1" active destination transport-method http no destination transport-method email ip routing ! no ip domain lookup ! login on-success log crypto pki trustpoint SLA-TrustPoint enrollment pkcs12 revocation-check crl ! ! crypto pki certificate chain SLA-TrustPoint certificate ca 01 30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030 32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934 3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720 526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520 1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE 4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC 7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188 68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7 C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191 C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44 DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201 06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85 4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500 03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905 604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8 467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C 7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B 5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678 80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB 418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0 D697DF7F 28 quit ! license boot level ipservicesk9 diagnostic bootup level minimal ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! redundancy mode sso ! transceiver type all monitoring ! ! class-map match-any system-cpp-police-topology-control description Topology control class-map match-any system-cpp-police-sw-forward description Sw forwarding, L2 LVX data, LOGGING class-map match-any system-cpp-default description Inter FED, EWLC control, EWLC data class-map match-any system-cpp-police-sys-data description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFLSAMPLED DATA, RPF Failed class-map match-any system-cpp-police-punt-webauth description Punt Webauth class-map match-any system-cpp-police-l2lvx-control description L2 LVX control packets class-map match-any system-cpp-police-forus description Forus Address resolution and Forus traffic class-map match-any system-cpp-police-multicast-end-station description MCAST END STATION class-map match-any system-cpp-police-multicast description Transit Traffic and MCAST Data class-map match-any system-cpp-police-l2-control description L2 control class-map match-any system-cpp-police-dot1x-auth description DOT1X Auth class-map match-any system-cpp-police-data description ICMP redirect, ICMP_GEN and BROADCAST class-map match-any system-cpp-police-stackwise-virt-control description Stackwise Virtual class-map match-any non-client-nrt-class class-map match-any system-cpp-police-routing-control description Routing control and Low Latency class-map match-any system-cpp-police-protocol-snooping description Protocol snooping class-map match-any system-cpp-police-dhcp-snooping description DHCP snooping class-map match-any system-cpp-police-system-critical description System Critical and Gold Pkt ! policy-map system-cpp-policy ! interface Loopback16 description Loopback to simulate an OSPF network ip address 10.10.16.1 255.255.255.0 ip ospf network point-to-point ! interface Loopback17 description Loopback to simulate an OSPF network ip address 10.10.17.1 255.255.255.0 ip ospf network point-to-point ! interface Loopback18 description Loopback to simulate an OSPF network ip address 10.10.18.1 255.255.255.0 ip ospf network point-to-point ! interface Loopback19 description Loopback to simulate an OSPF network ip address 10.10.19.1 255.255.255.0 ip ospf network point-to-point ! interface Loopback20 description Loopback to simulate an OSPF network ip address 10.10.20.1 255.255.255.0 ip ospf network point-to-point ! interface Loopback21 description Loopback to simulate an OSPF network ip address 10.10.21.1 255.255.255.0 ip ospf network point-to-point ! interface Loopback22 description Loopback to simulate an OSPF network ip address 10.10.22.1 255.255.255.0 ip ospf network point-to-point ! interface Loopback23 description Loopback to simulate an OSPF network ip address 10.10.23.1 255.255.255.0 ip ospf network point-to-point ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 shutdown ! interface GigabitEthernet1/0/2 shutdown ! interface GigabitEthernet1/0/3 shutdown ! interface GigabitEthernet1/0/4 shutdown ! interface GigabitEthernet1/0/5 shutdown ! interface GigabitEthernet1/0/6 shutdown ! interface GigabitEthernet1/0/7 shutdown ! interface GigabitEthernet1/0/8 shutdown ! interface GigabitEthernet1/0/9 shutdown ! interface GigabitEthernet1/0/10 shutdown ! interface GigabitEthernet1/0/11 description Connection to R3 no switchport ip address 10.10.4.2 255.255.255.252 ! interface GigabitEthernet1/0/12 shutdown ! interface GigabitEthernet1/0/13 shutdown ! interface GigabitEthernet1/0/14 shutdown ! interface GigabitEthernet1/0/15 shutdown ! interface GigabitEthernet1/0/16 shutdown ! interface GigabitEthernet1/0/17 shutdown ! interface GigabitEthernet1/0/18 shutdown ! interface GigabitEthernet1/0/19 shutdown ! interface GigabitEthernet1/0/20 shutdown ! interface GigabitEthernet1/0/21 shutdown ! interface GigabitEthernet1/0/22 shutdown ! interface GigabitEthernet1/0/23 description Connection to PC3 no switchport ip address 10.10.5.1 255.255.255.0 ! interface GigabitEthernet1/0/24 shutdown ! interface GigabitEthernet1/1/1 ! interface GigabitEthernet1/1/2 ! interface GigabitEthernet1/1/3 ! interface GigabitEthernet1/1/4 ! interface Vlan1 no ip address ! router ospf 123 router-id 3.3.3.2 auto-cost reference-bandwidth 1000 network 10.10.4.0 0.0.1.255 area 0 network 10.10.16.0 0.0.7.255 area 0 ! ip forward-protocol nd ip http server ip http secure-server ! control-plane service-policy input system-cpp-policy ! banner motd ^C This is D3, Implement IPsec VTI Site-to-Site VPNs ^C ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 login line vty 5 15 login ! end
Hi admin and members.
I think it’s wise to provide the pka files so that we can practise.
because having the commands without practising on our own is not good.
I’m taking about all the ccna encor and enarsi lab.