In this minilab we'll configure a static VTI tunnel between two routers, R1 and R3. I'll show the configuration steps on R1, the config on R3 is symmetrical.
Here's a breakdown of the tasks we have to do in order to acomplish this (basic connectivity is assumed to be configured):
1-Define ISAKMP policy and pre-shared key.
2-Define the IPsec transform-set
3-Create an IPsec profile
4-Create the tunnel interface and configure it accordingly
5-Test!
1-ISAKMP
R1(config)#crypto isakmp key 0 key address 23.23.23.3
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#encryption des
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
2-IPsec transform set
R1(config)#crypto ipsec transform-set SET esp-des esp-sha-hmac
R1(cfg-crypto-trans)#mode transport
3-IPsec profile
R1(config)#crypto ipsec profile VTI
R1(ipsec-profile)#set transform-set SET
4-Tunnel interface
R1(config)#int tunnel 0
R1(config-if)#ip address 13.13.13.1 255.255.255.0
R1(config-if)#tunnel source fastEthernet 1/0
R1(config-if)#tunnel destination 23.23.23.3
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile VTI
5-Route
R1(config)#ip route 3.3.3.0 255.255.255.0 tunnel 0
6-Test
R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Notice there's no need to define the source of the ping, as would be in a classic IPsec tunnel where only the traffic between the private networks.
No comments:
Post a Comment