LAN----------site1 ---------------------INTERNET -------------------site2------------LAN
172.16.1.1 .1 202.100.1.0/24 .10 .10 61.128.1.0/24 .1 10.1.1.1
---------------------------------------------------------------------------------------------------------
SITE1
stie1#show ru
stie1#show runstie1#show running-config
Building configuration...
!
hostname stie1
!
crypto ikev2 keyring Keyring
peer Site2
address 61.128.1.1
pre-shared-key Pre-Key
!
!
!
crypto ikev2 profile IKEv2-Profile
match identity remote address 61.128.1.1 255.255.255.255
identity local address 202.100.1.1
authentication local pre-share
authentication remote pre-share
keyring Keyring
!
!
!
crypto ipsec profile IPSec-Profile
set ikev2-profile IKEv2-Profile
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
tunnel source 202.100.1.1
tunnel mode ipsec ipv4
tunnel destination 61.128.1.1
tunnel protection ipsec profile IPSec-Profile
!
interface GigabitEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
ip route 0.0.0.0 0.0.0.0 202.100.1.10
ip route 10.1.1.0 255.255.255.0 192.168.1.2
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
stie1#
site2#show runn
site2#show running-config
Building configuration...
Current configuration : 1892 bytes
!
!
crypto ikev2 keyring Keyring
peer Site1
address 202.100.1.1
pre-shared-key Pre-Key
!
!
!
crypto ikev2 profile IKEv2-Profile
match identity remote address 202.100.1.1 255.255.255.255
identity local address 61.128.1.1
authentication local pre-share
authentication remote pre-share
keyring Keyring
!
!
!
!
crypto ipsec profile IPSec-Profile
set ikev2-profile IKEv2-Profile
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
tunnel source 61.128.1.1
tunnel mode ipsec ipv4
tunnel destination 202.100.1.1
tunnel protection ipsec profile IPSec-Profile
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 61.128.1.1 255.255.255.0
duplex auto
speed auto
!
!
ip route 0.0.0.0 0.0.0.0 61.128.1.10
ip route 172.16.1.0 255.255.255.0 192.168.1.1
!
!
site2#
---------------------------------------------
site2#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1001 IKEv2 SHA+AES 0 0 0 61.128.1.1
2001 IPsec AES+SHA 0 215 215 61.128.1.1
2002 IPsec AES+SHA 215 0 0 61.128.1.1
site2#
site2#show crypto ikev2 session
IPv4 Crypto IKEv2 Session
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
1 61.128.1.1/500 202.100.1.1/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/611 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0xBFB3BDB0/0x669A576C
IPv6 Crypto IKEv2 Session
site2#
site2#show crypto ikev2 stats
--------------------------------------------------------------------------------
Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego: 1000
Total IKEv2 SA Count: 1 active: 1 negotiating: 0
Incoming IKEv2 Requests: 1 accepted: 1 rejected: 0
Outgoing IKEv2 Requests: 0 accepted: 0 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
site2#
site2#show crypto ikev2 proposal
IKEv2 proposal: default
Encryption : AES-CBC-128 3DES
Integrity : SHA96 MD596
PRF : SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
site2#
site2#show crypto ikev2 policy
IKEv2 policy : default
Match fvrf : global
Match address local : any
Proposal : default
site2#
site2#show crypto ikev2 profile
IKEv2 profile: IKEv2-Profile
Ref Count: 4
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 202.100.1.1 255.255.255.255
Certificate maps: none
Local identity: address 61.128.1.1
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: Keyring
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
site2#
site2#show crypto ipsec profile
IPSEC profile IPSec-Profile
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
#$!default_transform_set_1: { esp-aes esp-sha-hmac } ,
#$!default_transform_set_0: { esp-3des esp-sha-hmac } ,
}
site2#
site2#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 61.128.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 202.100.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 115, #pkts encrypt: 115, #pkts digest: 115
#pkts decaps: 115, #pkts decrypt: 115, #pkts verify: 115
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 61.128.1.1, remote crypto endpt.: 202.100.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x669A576C(1721390956)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xBFB3BDB0(3216227760)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4547204/2543)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x669A576C(1721390956)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4547204/2543)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
site2#
site2#
site2#ping 172.16.1.1 source 10.1.1.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/4 ms
site2#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 61.128.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 202.100.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 215, #pkts encrypt: 215, #pkts digest: 215
#pkts decaps: 215, #pkts decrypt: 215, #pkts verify: 215
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 61.128.1.1, remote crypto endpt.: 202.100.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x669A576C(1721390956)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xBFB3BDB0(3216227760)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4547187/2486)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x669A576C(1721390956)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4547187/2486)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
site2#
site2#show crypto ipsec transform-set
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
site2#show crypto engine brief
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
HW Version: 1.0
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 0000
Maximum DH index: 0000
Maximum SA index: 0000
Maximum Flow index: 2000
Maximum RSA key size: 0000
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 56C903C5
crypto engine state: installed
crypto engine in slot: N/A
site2#