CCNP – GRE over IPSEC (Part 3)

Now that you have one remote site up and running, bring up a second site to see what is involved with that and see how the routing will work.

! Remote Router (R3)
!
interface FastEthernet0/0 (connects to SW1 port 3)
ip address 14.38.88.20 255.255.0.0
!
ip route 0.0.0.0 0.0.0.0 14.38.1.1
!
interface Tunnel0
ip address 192.168.26.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 14.36.88.6
! Need to add a loopback to see an additional route from R3
!
int l0
ip address 192.168.20.1 255.255.255.0
!
access-list 140 permit gre host 14.38.88.20 host 14.36.88.6
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 14.36.88.6
set transform-set strong
match address 140
!
interface tunnel0
crypto map vpn
!
interface fa0/0
crypto map vpn

!
router eigrp 60
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes

! Main Router
interface Tunnel3
ip address 192.168.26.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 14.38.88.20
!
access-list 140 permit gre host 14.36.88.6 host 14.38.88.20
!
crypto map vpn 20 ipsec-isakmp
set peer 14.38.88.20
set transform-set strong
match address 140

You can see that most of the work was done in just setting up the initial connection between R2 and Main. What you see here is the incremental config required to get an additional router up with this lab.

Now to a little troubleshooting. Try sh ip eigrp 60 neighbor -

Main#sh ip eigrp 60 neightbor
IP-EIGRP neighbors for process 60
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 192.168.26.1 Tu2 10 00:13:36 21 5000 0 5
0 192.168.16.1 Tu0 12 00:13:49 27 5000 0 6

From the main router, it sees R3.

Lets see what EIGRP thinks is going on -

Main#sh ip eigrp 60 topology
IP-EIGRP Topology Table for AS(60)/ID(192.168.5.1)

Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status

P 192.168.10.0/24, 1 successors, FD is 297372416
via 192.168.16.1 (297372416/128256), Tunnel0
P 192.168.5.0/24, 1 successors, FD is 128256
via Connected, Loopback0
P 192.168.26.0/24, 1 successors, FD is 297244416
via Connected, Tunnel2
P 192.168.16.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.20.0/24, 1 successors, FD is 297372416
via 192.168.26.1 (297372416/128256), Tunnel2

The new routes from R3 are showing up

Just to finish up some basic testing, let see what sh ip route gives us -

Main#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 14.36.1.1 to network 0.0.0.0

D 192.168.10.0/24 [90/297372416] via 192.168.16.1, 00:19:26, Tunnel0
C 192.168.26.0/24 is directly connected, Tunnel2
D 192.168.20.0/24 [90/297372416] via 192.168.26.1, 00:19:13, Tunnel2
C 192.168.5.0/24 is directly connected, Loopback0
C 192.168.16.0/24 is directly connected, Tunnel0
14.0.0.0/16 is subnetted, 1 subnets
C 14.36.0.0 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 14.36.1.1

Congratulations ! If you have followed everything that you have seen here, you should have a 3 router GRE over IPSEC lab up and running.

This entry was posted in Blog Entries, CCNP and tagged , . Bookmark the permalink.