CCIE Security V4 Technology Labs  Section 7:

Confidentiality and Secure Access


VPN High Availability Using Crypto Maps
and RRI
Last updated: May 20, 2013

Note:
For this task, you can use the configuration files that resulted from completing the
previous task, or you can load the Section 7 Initial Configuration Files to initialize your
rack.

Clearing the configurations from previous tasks before starting this configuration is
recommended.

Task
Configure an IKEv1 IPsec tunnel between R3 and R1/R2 to protect traffic between SW1 and SW2
Loopback0 interfaces:
Use AES-128/MD5 for both IPsec phases.
Use a 1024-bit DH algorithm.
Use a pre-shared-key of CISCO.
Configure the tunnel to accomplish the following:
Ensure tunnel redundancy.
Use a single set peer command on R1/R2.
R3 should prefer R1 to reach SW1's Loopback0.

Overview
This is a crypto-map redundancy scenario that relies on Reverse Route Injection (RRI). A explained
earlier tasks, RRI basically injects static routes in the routing table for remote protected networks
negotiated by IPsec (remote networks from local proxy-ACL). In our scenario, because SW1 has
two possible exit points (R1 or R2), the VPN gateway that terminates the IPsec tunnel with R3 will
redistribute the RRI routes into OSPF.

Note that DPD was also configured; it is required for a crypto-map entry with multiple set peer
commands to function.

Configuration
R1:

crypto isakmp policy 40

authentication pre-share
encryption aes
hash md5
group 2
!
crypto keyring R3_LO
pre-shared-key address 150.1.3.3 255.255.255.255 key CISCO
!
crypto isakmp profile R3_LO
keyring R3_LO
match identity address 150.1.3.3 255.255.255.255
!
ip access-list extended LOSW1_LOSW2
permit ip host 150.1.7.7 host 150.1.8.8
!
crypto isakmp keepalive 10 3 periodic
crypto ipsec transform-set AES128_MD5 esp-aes esp-md5-hmac
!
crypto map VPN 4 ipsec-isakmp
set peer 150.1.3.3
set isakmp-profile R3_LO
set transform-set AES128_MD5
match address LOSW1_LOSW2
reverse-route
!
router ospf 111
redistribute static subnets
!
interface GigabitEthernet0/0
crypto map VPN

R2:
 crypto isakmp policy 40
authentication pre-share
encryption aes
hash md5
group 2
!
crypto keyring R3_LO
pre-shared-key address 150.1.3.3 255.255.255.255 key CISCO
!
crypto isakmp profile R3_LO
keyring R3_LO
match identity address 150.1.3.3 255.255.255.255
!
ip access-list extended LOSW1_LOSW2
permit ip host 150.1.7.7 host 150.1.8.8
!
crypto isakmp keepalive 10 3 periodic
crypto ipsec transform-set AES128_MD5 esp-aes esp-md5-hmac
!
crypto map VPN 4 ipsec-isakmp
set peer 150.1.3.3
set isakmp-profile R3_LO
set transform-set AES128_MD5
match address LOSW1_LOSW2
reverse-route
!
router ospf 111
redistribute static subnets
!
interface GigabitEthernet0/0
crypto map VPN

R3:
 crypto isakmp policy 40
authentication pre-share
encryption aes
hash md5
group 2
!
crypto keyring R1_R2
pre-shared-key address 136.1.18.1 255.255.255.255 key CISCO
pre-shared-key address 136.1.18.2 255.255.255.255 key CISCO
!
crypto isakmp profile R1_R2
keyring R1_R2
match identity address 136.1.18.1 255.255.255.255
match identity address 136.1.18.2 255.255.255.255
!
ip access-list extended LOSW2_LOSW1
permit ip host 150.1.8.8 host 150.1.7.7
!
crypto isakmp keepalive 10 3 periodic
crypto ipsec transform-set AES128_MD5 esp-aes esp-md5-hmac
!
crypto map VPN local-address Loopback0
crypto map VPN 4 ipsec-isakmp
set peer 136.1.18.1
set peer 136.1.18.2
set isakmp-profile R1_R2
set transform-set AES128_MD5
match address LOSW2_LOSW1
!
interface FastEthernet0/0.38
crypto map VPN
!
interface FastEthernet0/0.83
crypto map VPN

Verification
Verify the routing table on SW1 before IPsec tunnel is established, generate interesting traffic from
SW2, and verify the routing table on SW1 again.
 Rack1SW1#show ip route ospf

Rack1SW1#
!
!
Rack1SW2#ping 150.1.7.7 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.7.7, timeout is 2 seconds:
Packet sent with a source address of 150.1.8.8
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/4/8 ms
!
!
Rack1SW1#show ip route ospf
150.1.0.0/32 is subnetted, 2 subnets
O E2 150.1.8.8 [110/20] via 136.1.12.1, 00:01:13, Vlan12

Determine whether the required algorithms are used for the tunnel establishment. Note that if
configuration from previous tasks was not removed, IPsec Phase2 will negotiate all SAs for all
tunnels created between R1 and R3.
 Rack1R3#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime

Cap.

1003 150.1.3.3 136.1.18.1 ACTIVE aes md5 psk 2 23:57:39

D
Engine-id:Conn-id = SW:3

IPv6 Crypto ISAKMP SA

!
!
Rack1R3#show crypto session remote 136.1.18.1
Crypto session current status

Interface: FastEthernet0/0.38 FastEthernet0/0.83

Profile: R1_R2
Session status: UP-ACTIVE
Peer: 136.1.18.1 port 500
IKEv1 SA: local 150.1.3.3/500 remote 136.1.18.1/500 Active
IPSEC FLOW: permit ip host 150.1.8.8 host 150.1.7.7
Active SAs: 2, origin: crypto map

Bring down R1's interface from VLAN18 and generate interesting traffic again; the tunnel should be
negotiated with R2, and R2 should now perform the RRI.
 Rack1R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R1(config)#interface gigabitEthernet 0/0
Rack1R1(config-if)#shutdown
%DUAL-5-NBRCHANGE: EIGRP-IPv4 111: Neighbor 136.1.18.2 (GigabitEthernet0/0) is do
wn: holding time expired
%DUAL-5-NBRCHANGE: EIGRP-IPv4 111: Neighbor 136.1.18.8 (GigabitEthernet0/0) is do
wn: holding time expired
!
!
Rack1SW2#ping 150.1.7.7 source loopback0 repeat 10

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 150.1.7.7, timeout is 2 seconds:
Packet sent with a source address of 150.1.8.8
..!!!!!!!!
Success rate is 80 percent (8/10), round-trip min/avg/max = 1/4/9 ms
!
!
Rack1SW1#show ip route ospf
150.1.0.0/32 is subnetted, 2 subnets
O E2 150.1.8.8 [110/20] via 136.1.12.2, 00:00:06, Vlan12
!
!
Rack1R2#show crypto route

VPN Routing Table: Shows RRI and VTI created routes

Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
S - Static Map ACLs

Routes created in table GLOBAL DEFAULT

150.1.8.8/255.255.255.255 [1/0] via 150.1.3.3 tag 0 count 1 rtid 2
on GigabitEthernet0/0 RRI

Verify that the tunnel is established with R2 using required algorithms.

Rack1R2#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime

Cap.

1002 136.1.18.2 150.1.3.3 ACTIVE aes md5 psk 2 23:58:32

D
Engine-id:Conn-id = SW:2

IPv6 Crypto ISAKMP SA

!
!
Rack1R2#show crypto session remote 150.1.3.3
Crypto session current status

Interface: GigabitEthernet0/0
Profile: R3_LO
Session status: UP-ACTIVE
Peer: 150.1.3.3 port 500
IKEv1 SA: local 136.1.18.2/500 remote 150.1.3.3/500 Active
IPSEC FLOW: permit ip host 150.1.7.7 host 150.1.8.8
Active SAs: 2, origin: crypto map