Professional Documents
Culture Documents
VPN High Availability Using Crypto Maps and RRI
VPN High Availability Using Crypto Maps and RRI
VPN High Availability Using Crypto Maps
and RRI
Last updated: May 20, 2013
Note:
For this task, you can use the configuration files that resulted from completing the
previous task, or you can load the Section 7 Initial Configuration Files to initialize your
rack.
Clearing the configurations from previous tasks before starting this configuration is
recommended.
Task
Configure an IKEv1 IPsec tunnel between R3 and R1/R2 to protect traffic between SW1 and SW2
Loopback0 interfaces:
Use AES-128/MD5 for both IPsec phases.
Use a 1024-bit DH algorithm.
Use a pre-shared-key of CISCO.
Configure the tunnel to accomplish the following:
Ensure tunnel redundancy.
Use a single set peer command on R1/R2.
R3 should prefer R1 to reach SW1's Loopback0.
Overview
This is a crypto-map redundancy scenario that relies on Reverse Route Injection (RRI). A explained
earlier tasks, RRI basically injects static routes in the routing table for remote protected networks
negotiated by IPsec (remote networks from local proxy-ACL). In our scenario, because SW1 has
two possible exit points (R1 or R2), the VPN gateway that terminates the IPsec tunnel with R3 will
redistribute the RRI routes into OSPF.
Note that DPD was also configured; it is required for a crypto-map entry with multiple set peer
commands to function.
Configuration
R1:
R2:
crypto isakmp policy 40
authentication pre-share
encryption aes
hash md5
group 2
!
crypto keyring R3_LO
pre-shared-key address 150.1.3.3 255.255.255.255 key CISCO
!
crypto isakmp profile R3_LO
keyring R3_LO
match identity address 150.1.3.3 255.255.255.255
!
ip access-list extended LOSW1_LOSW2
permit ip host 150.1.7.7 host 150.1.8.8
!
crypto isakmp keepalive 10 3 periodic
crypto ipsec transform-set AES128_MD5 esp-aes esp-md5-hmac
!
crypto map VPN 4 ipsec-isakmp
set peer 150.1.3.3
set isakmp-profile R3_LO
set transform-set AES128_MD5
match address LOSW1_LOSW2
reverse-route
!
router ospf 111
redistribute static subnets
!
interface GigabitEthernet0/0
crypto map VPN
R3:
crypto isakmp policy 40
authentication pre-share
encryption aes
hash md5
group 2
!
crypto keyring R1_R2
pre-shared-key address 136.1.18.1 255.255.255.255 key CISCO
pre-shared-key address 136.1.18.2 255.255.255.255 key CISCO
!
crypto isakmp profile R1_R2
keyring R1_R2
match identity address 136.1.18.1 255.255.255.255
match identity address 136.1.18.2 255.255.255.255
!
ip access-list extended LOSW2_LOSW1
permit ip host 150.1.8.8 host 150.1.7.7
!
crypto isakmp keepalive 10 3 periodic
crypto ipsec transform-set AES128_MD5 esp-aes esp-md5-hmac
!
crypto map VPN local-address Loopback0
crypto map VPN 4 ipsec-isakmp
set peer 136.1.18.1
set peer 136.1.18.2
set isakmp-profile R1_R2
set transform-set AES128_MD5
match address LOSW2_LOSW1
!
interface FastEthernet0/0.38
crypto map VPN
!
interface FastEthernet0/0.83
crypto map VPN
Verification
Verify the routing table on SW1 before IPsec tunnel is established, generate interesting traffic from
SW2, and verify the routing table on SW1 again.
Rack1SW1#show ip route ospf
Rack1SW1#
!
!
Rack1SW2#ping 150.1.7.7 source loopback0
Determine whether the required algorithms are used for the tunnel establishment. Note that if
configuration from previous tasks was not removed, IPsec Phase2 will negotiate all SAs for all
tunnels created between R1 and R3.
Rack1R3#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
Bring down R1's interface from VLAN18 and generate interesting traffic again; the tunnel should be
negotiated with R2, and R2 should now perform the RRI.
Rack1R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R1(config)#interface gigabitEthernet 0/0
Rack1R1(config-if)#shutdown
%DUAL-5-NBRCHANGE: EIGRP-IPv4 111: Neighbor 136.1.18.2 (GigabitEthernet0/0) is do
wn: holding time expired
%DUAL-5-NBRCHANGE: EIGRP-IPv4 111: Neighbor 136.1.18.8 (GigabitEthernet0/0) is do
wn: holding time expired
!
!
Rack1SW2#ping 150.1.7.7 source loopback0 repeat 10
Interface: GigabitEthernet0/0
Profile: R3_LO
Session status: UP-ACTIVE
Peer: 150.1.3.3 port 500
IKEv1 SA: local 136.1.18.2/500 remote 150.1.3.3/500 Active
IPSEC FLOW: permit ip host 150.1.7.7 host 150.1.8.8
Active SAs: 2, origin: crypto map