Before and After
- Naked GRE
- IPsec Protected GRE
Configure R1:
R1-Hub(config)#crypto isakmp policy 5
R1-Hub(config-isakmp)#hash sha
R1-Hub(config-isakmp)#authentication pre-share
R1-Hub(config-isakmp)#group 14 <-- (2048 bit)
R1-Hub(config-isakmp)#lifetime 86400
R1-Hub(config-isakmp)#encryption aes 256
R1-Hub(config-isakmp)#exit
R1-Hub(config)#crypto isakmp key cisco123 address 0.0.0.0 <-- (Any peer who has same Pass)
R1-Hub(config)#crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
R1-Hub(cfg-crypto-trans)#mode transport
R1-Hub(cfg-crypto-trans)#exit
R1-Hub(config)#crypto ipsec profile OUR_IPSec_PROFILE
R1-Hub(ipsec-profile)#set transform-set OURSET
R1-Hub(ipsec-profile)#exit
R1-Hub(config)#in tunnel 0
R1-Hub(config-if)#tunnel protection ipsec profile OUR_IPSec_PROFILE
*Sep 3 00:47:09.627: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Sep 3 00:47:11.299: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /15.0.0.1, src_addr= 35.0.0.3, prot= 47
Configure R2:
R2-Spoke(config)#crypto isakmp policy 5
R2-Spoke(config-isakmp)#hash sha
R2-Spoke(config-isakmp)#authentication pre-share
R2-Spoke(config-isakmp)#group 14
R2-Spoke(config-isakmp)#lifetime 86400
R2-Spoke(config-isakmp)#encryption aes 256
R2-Spoke(config-isakmp)#exit
R2-Spoke(config)#crypto isakmp key cisco123 address 0.0.0.0
R2-Spoke(config)#crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
R2-Spoke(cfg-crypto-trans)#mode transport
R2-Spoke(cfg-crypto-trans)#exit
R2-Spoke(config)#crypto ipsec profile OUR_IPSec_PROFILE
R2-Spoke(ipsec-profile)#set transform-set OURSET
R2-Spoke(ipsec-profile)#exit
R2-Spoke(config)#in tunnel 0
R2-Spoke(config-if)#tunnel protection ipsec profile OUR_IPSec_PROFILE
Configure R3:
R3-Spoke(config)#crypto isakmp policy 5
R3-Spoke(config-isakmp)#hash sha
R3-Spoke(config-isakmp)#authentication pre-share
R3-Spoke(config-isakmp)#group 14
R3-Spoke(config-isakmp)#lifetime 86400
R3-Spoke(config-isakmp)#encryption aes 256
R3-Spoke(config-isakmp)#exit
R3-Spoke(config)#crypto isakmp key cisco123 address 0.0.0.0
R3-Spoke(config)#crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
R3-Spoke(cfg-crypto-trans)#mode transport
R3-Spoke(cfg-crypto-trans)#exit
R3-Spoke(config)#crypto ipsec profile OUR_IPSec_PROFILE
R3-Spoke(ipsec-profile)#set transform-set OURSET
R3-Spoke(ipsec-profile)#exit
R3-Spoke(config)#in tunnel 0
R3-Spoke(config-if)#tunnel protection ipsec profile OUR_IPSec_PROFILE
Configure R4:
R4-Spoke(config)#crypto isakmp policy 5
R4-Spoke(config-isakmp)#hash sha
R4-Spoke(config-isakmp)#authentication pre-share
R4-Spoke(config-isakmp)#group 14
R4-Spoke(config-isakmp)#lifetime 86400
R4-Spoke(config-isakmp)#encryption aes 256
R4-Spoke(config-isakmp)#exit
R4-Spoke(config)#crypto isakmp key cisco123 address 0.0.0.0
R4-Spoke(config)#crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
R4-Spoke(cfg-crypto-trans)#mode transport
R4-Spoke(cfg-crypto-trans)#exit
R4-Spoke(config)#crypto ipsec profile OUR_IPSec_PROFILE
R4-Spoke(ipsec-profile)#set transform-set OURSET
R4-Spoke(ipsec-profile)#exit
R4-Spoke(config)#in tunnel 0
R4-Spoke(config-if)#tunnel protection ipsec profile OUR_IPSec_PROFILE
! Verify Configuretion
R2-Spoke#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
IPv4 NHS: 172.16.0.1 RE
Type:Spoke, Total NBMA Peers (v4/v6): 2
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 15.0.0.1 172.16.0.1 UP 00:00:23 S 172.16.0.1/32
R2-Spoke#ping 10.4.4.4 source lo 0
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/104/164 ms
R2-Spoke#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
IPv4 NHS: 172.16.0.1 RE
Type:Spoke, Total NBMA Peers (v4/v6): 2
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 15.0.0.1 172.16.0.1 UP 00:00:23 S 172.16.0.1/32
1 45.0.0.4 172.16.0.4 UP 00:00:16 D 172.16.0.4/32
R2-Spoke#show ip nhrp
172.16.0.1/32 via 172.16.0.1
Tunnel0 created 00:33:03, never expire
Type: static, Flags: used
NBMA address: 15.0.0.1
172.16.0.2/32 via 172.16.0.2
Tunnel0 created 00:00:24, expire 01:59:35
Type: dynamic, Flags: router unique local
NBMA address: 25.0.0.2
(no-socket)
172.16.0.4/32 via 172.16.0.4
Tunnel0 created 00:00:25, expire 01:59:35
Type: dynamic, Flags: router implicit
NBMA address: 45.0.0.4
R2-Spoke#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 172.16.0.2, VRF ""
Tunnel Src./Dest. addr: 25.0.0.2/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "OUR_IPSec_PROFILE"
Interface State Control: Disabled
IPv4 NHS: 172.16.0.1 RE
Type:Spoke, Total NBMA Peers (v4/v6): 4
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 15.0.0.1 172.16.0.1 UP 00:12:49 S 172.16.0.1/32
1 25.0.0.2 172.16.0.2 UP 00:01:54 DLX 172.16.0.2/32
1 35.0.0.3 172.16.0.3 UP 00:01:54 D 172.16.0.3/32
1 45.0.0.4 172.16.0.4 UP 00:01:54 D 172.16.0.4/32
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel0
Session: [0x67C838DC]
IKE SA: local 25.0.0.2/500 remote 15.0.0.1/500 Active
Capabilities:(none) connid:1004 lifetime:23:47:09
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 15.0.0.1
IPSEC FLOW: permit 47 host 25.0.0.2 host 15.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 155 drop 0 life (KB/Sec) 4411088/2830
Outbound: #pkts enc'ed 146 drop 0 life (KB/Sec) 4411090/2830
Outbound SPI : 0x62A0750D, transform : esp-256-aes esp-sha-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x67C836FC]
IKE SA: local 25.0.0.2/500 remote 45.0.0.4/500 Active
Capabilities:(none) connid:1018 lifetime:23:58:04
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 45.0.0.4
IPSEC FLOW: permit 47 host 25.0.0.2 host 45.0.0.4
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 2 drop 0 life (KB/Sec) 4579927/3485
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4579927/3485
Outbound SPI : 0x37F51D9D, transform : esp-256-aes esp-sha-hmac <-- (Line ESP SPI In Wireshark Capture)
Socket State: Open
Pending DMVPN Sessions:
R2-Spoke#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
35.0.0.3 25.0.0.2 QM_IDLE 1017 ACTIVE
15.0.0.1 25.0.0.2 QM_IDLE 1004 ACTIVE
45.0.0.4 25.0.0.2 QM_IDLE 1018 ACTIVE
IPv6 Crypto ISAKMP SA
R2-Spoke#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1017 25.0.0.2 35.0.0.3 ACTIVE aes sha psk 14 23:53:26
Engine-id:Conn-id = SW:17
1004 25.0.0.2 15.0.0.1 ACTIVE aes sha psk 14 23:42:31
Engine-id:Conn-id = SW:4
1018 25.0.0.2 45.0.0.4 ACTIVE aes sha psk 14 23:53:26
Engine-id:Conn-id = SW:18
IPv6 Crypto ISAKMP SA
R2-Spoke#show crypto ipsec sa peer 45.0.0.4
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 25.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (25.0.0.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (45.0.0.4/255.255.255.255/47/0)
current_peer 45.0.0.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 25.0.0.2, remote crypto endpt.: 45.0.0.4
path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
current outbound spi: 0x37F51D9D(938810781)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xBC9EB9E5(3164518885)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 33, flow_id: 33, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4579927/3119)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x37F51D9D(938810781)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 34, flow_id: 34, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4579927/3119)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2-Spoke#show dmvpn peer nbma 45.0.0.4 detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 172.16.0.2, VRF ""
Tunnel Src./Dest. addr: 25.0.0.2/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "
Interface State Control: Disabled
IPv4 NHS: 172.16.0.1 RE
Type:Unknown, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 45.0.0.4 172.16.0.4 UP 00:10:14 D 172.16.0.4/32
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel0
Session: [0x67C838DC]
IKE SA: local 25.0.0.2/500 remote 45.0.0.4/500 Active
Capabilities:(none) connid:1018 lifetime:23:49:44
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 45.0.0.4
IPSEC FLOW: permit 47 host 25.0.0.2 host 45.0.0.4
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 2 drop 0 life (KB/Sec) 4579927/2985
Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4579927/2985
Outbound SPI : 0x37F51D9D, transform : esp-256-aes esp-sha-hmac
Socket State: Open
! Note: Now All Traffic is Encrypted
! Note: Wireshark Captured File Link: Here
