IPSec Tunnel Interfaces

On By karsteni

A sample-configuration of IPSec Tunnel-Interfaces, a new 12.3(14)T-Feature (Updated 2006-03-29).

  • Topology used for this example:
Topology used for Example IPSec Tunnel Interfaces


Configuration
ISAKMP is configured as usual, e.g.:


crypto isakmp policy 10
 encr aes 256
 auth pre
 group 5

crypto isakmp key MXg6AzCGBYw/I0%$ address 172.30.2.2

we need to configure a transform-set and attach this transform-set to an ipsec-profile:


crypto ipsec transform-set EspAesSha esp-aes esp-sha-hmac
crypto ipsec profile TunnelProfile
  set transform-set EspAesSha

next, a tunnel-interface is created:


interface Tunnel 0
  ip address 10.11.11.1 255.255.255.252
  tunnel source FastEthernet0/1
  tunnel destination 172.30.2.2

this tunnel is set to ipsec-mode and is protected with the ipsec- profile:


interface Tunnel 0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile TunnelProfile

the physical interface hast to allow the ipsec-packets:


ip access-list ext outside-in
  remark ACL eingehend vom Internet
  permit esp any host 172.30.1.2
  permit udp any host 172.30.1.2 eq 500

the configuration of the WAN-Interface:


interface FastEthernet0/1
  description WAN-Interface
  ip address 172.30.1.2 255.255.255.0
  ip access-group outside-in in

we can start a routing-process on the tunnel-interface:


router eigrp 1
  network 10.0.0.0
  no auto-summary

and we learn remote-networks through the tunnel


Router1# show ip route eigrp
    10.0.0.0/24 is subnetted, 3 subnets
D      10.0.2.0 [90/297246976] via 10.11.11.2, 15:33:11, Tunnel0
Router#

the router automatically generates crypto maps:


Router1#sh cry map
Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp
     Profile name: TunnelProfile
     Security association lifetime: 4608000 kilobytes/3600 seconds
     PFS (Y/N): N
     Transform sets={
 	   EspAesSha,
     }

Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp
     Map is a PROFILE INSTANCE.
     Peer = 172.30.2.2
     Extended IP access list
         access-list  permit ip any any
     Current peer: 172.30.2.2
     Security association lifetime: 4608000 kilobytes/3600 seconds
     PFS (Y/N): N
     Transform sets={
 	   EspAesSha,
     }
     Interfaces using crypto map Tunnel0-head-0:
           Tunnel0

the resulting IPSec-SA:


Router1#sh cry ips sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 172.30.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.30.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 72, #pkts encrypt: 72, #pkts digest: 72
    #pkts decaps: 71, #pkts decrypt: 71, #pkts verify: 71
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

 local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x47537458(1196651608)

 inbound esp sas:
      spi: 0x230B9AF1(587963121)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: NETGX:2, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4536356/3553)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound esp sas:
      spi: 0x47537458(1196651608)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: NETGX:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4536356/3551)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.