Applying policy for:
- NAT, QoS, ACLs
IPsec - Tunnel Interface (VTI)
Clear Text - Physical Interface
IPsec virtual tunnel interfaces (VTIs) provide a routable interface type for terminating IPsec tunnels and an easy way to define protection between sites to form an overlay network. IPsec VTIs simplify the configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing.
Configure R1:
R1(config)#crypto isakmp policy 5
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 14
R1(config-isakmp)#hash sha
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#exit
R1(config)#crypto isakmp key cisco123 address 0.0.0.0
R1(config)#crypto ipsec transform-set P2P-SET esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile P2P-PROFILE
R1(ipsec-profile)#set transform-set P2P-SET
R1(ipsec-profile)#exit
R1(config)#in lo 9
R1(config-if)#ip address 1.1.1.1 255.255.255.255
R1(config)#interface tunnel 1
R1(config-if)#ip unnumbered loopback 9
R1(config-if)#tunnel source serial 1/0
R1(config-if)#tunnel destination 35.0.0.3
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile P2P-PROFILE
R1(config-if)#router eigrp 777
R1(config-router)#no auto-summary
R1(config-router)#net 10.1.1.1 0.0.0.0
R1(config-router)#net 1.1.1.1 0.0.0.0
Configure R3:
R3(config)#crypto isakmp policy 5
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 14
R3(config-isakmp)#hash sha
R3(config-isakmp)#lifetime 86400
R3(config-isakmp)#exit
R3(config)#crypto isakmp key cisco123 address 0.0.0.0
R3(config)#crypto ipsec transform-set P2P-SET esp-aes 256 esp-sha-hmac
R3(cfg-crypto-trans)#mode tunnel
R3(cfg-crypto-trans)#exit
R3(config)#crypto ipsec profile P2P-PROFILE
R3(ipsec-profile)#set transform-set P2P-SET
R3(ipsec-profile)#exit
R3(config)#in lo 9
R3(config-if)#ip address 3.3.3.3 255.255.255.255
R3(config)#interface tunnel 1
R3(config-if)#ip unnumbered loopback 9
R3(config-if)#tunnel source serial 1/0
R3(config-if)#tunnel destination 15.0.0.1
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile P2P-PROFILE
R3(config-if)#router eigrp 777
R3(config-router)#no auto-summary
R3(config-router)#net 10.3.3.3 0.0.0.0
R3(config-router)#net 3.3.3.3 0.0.0.0
! Verify Configuraion
R3#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(777)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 1.1.1.1 Tu1 11 00:02:16 154 1458 0 3
R3#show ip route eigrp | in Tunnel1
D 1.1.1.1 [90/27008000] via 1.1.1.1, 00:02:38, Tunnel1
D 10.1.1.0/24 [90/27008000] via 1.1.1.1, 00:02:38, Tunnel1
R3#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 35.0.0.3 15.0.0.1 ACTIVE aes sha psk 14 23:56:03
Engine-id:Conn-id = SW:1
IPv6 Crypto ISAKMP SA
R3#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec AES256+SHA 0 68 68 35.0.0.3
2 IPsec AES256+SHA 69 0 0 35.0.0.3
1001 IKE SHA+AES256 0 0 0 35.0.0.3
R3#ping 10.1.1.1 source 10.3.3.3
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.3
!!!!! Success rate is 100 percent (5/5)
R3#show ip interface brief | exclude unassigned
Interface IP-Address OK? Method Status Protocol
Serial1/0 35.0.0.3 YES manual up up
Loopback0 10.3.3.3 YES manual up up
Loopback9 3.3.3.3 YES manual up up
Tunnel1 3.3.3.3 YES TFTP up up
! Create Class Maps
R3(config)#class-map match-all VTI-CLASS
R3(config-cmap)#match any
R3(config-cmap)#exit
R3(config)#class-map match-all Serial-CLASS
R3(config-cmap)#match any
R3(config-cmap)#exit
R3(config)#do show class-map
Class Map match-any class-default (id 0)
Match any
Class Map match-all VTI-CLASS (id 1)
Match any
Class Map match-all Serial-CLASS (id 2)
Match any
! Create Policy Maps
R3(config)#policy-map VTI-MAP
R3(config-pmap)#class VTI-CLASS
R3(config-pmap-c)#set precedence 2
R3(config-pmap-c)#exit
R3(config-pmap)#exit
R3(config)#policy-map Serial-MAP
R3(config-pmap)#class Serial-CLASS
R3(config-pmap-c)#set precedence 4
R3(config-pmap-c)#exit
R3(config-pmap)#exit
R3(config)#do show policy-map
Policy Map VTI-MAP
Class VTI-CLASS
set precedence 2
Policy Map Serial-MAP
Class Serial-CLASS
set precedence 4
! Apply VTI-MAP to Tunnel1 interface
R3(config)#interface tunnel1
R3(config-if)#service-policy output VTI-MAP
R3(config-if)#exit
! Apply Serial-MAP to Serial interface
R3(config)#interface serial 1/0
R3(config-if)#service-policy output Serial-MAP
R3(config-if)#exit
! Note: Traffics from Physical interface will be clear text and traffics from Tunnel1 interface will be encrypted.
R3#show policy-map interface tunnel 1
Tunnel1
Service-policy output: VTI-MAP
Class-map: VTI-CLASS (match-all)
15 packets, 792 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
QoS Set
precedence 2
Packets marked 15
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R3#show policy-map interface serial 1/0
Serial1/0
Service-policy output: Serial-MAP
Class-map: Serial-CLASS (match-all)
11 packets, 850 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
QoS Set
precedence 4
Packets marked 0
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R3#ping 10.1.1.1 source 10.3.3.3 repeat 10 (Encrypted Traffic)
R3#ping 15.0.0.1 repeat 3 (Clear-Text Traffic)
