Now, a real example with tips of NSA.
cat R1.cfg
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname R1
!
logging queue-limit 100
!
memory-size iomem 15
ip subnet-zero
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 01234abcde address 189.0.0.2
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto map pipe-1 1 ipsec-isakmp
set peer 189.0.0.2
set security-association lifetime kilobytes 80000
set security-association lifetime seconds 26400
set transform-set set1
match address 101
!
!
interface Loopback0
ip address 192.168.0.1 255.255.255.255
ip nat inside
!
interface FastEthernet0/0
ip address 200.0.0.2 255.255.255.252
ip nat outside
speed auto
crypto map pipe-1
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 200.0.0.1
no ip http server
no ip http secure-server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit esp host 189.0.0.2 host 200.0.0.2
access-list 100 permit ahp host 189.0.0.2 host 200.0.0.2
access-list 100 permit udp host 189.0.0.2 host 200.0.0.2 eq isakmp
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
no scheduler allocate
end
cat GW.cfg
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname GW
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip domain lookup
!
ip audit po max-events 100
!
!
interface FastEthernet0/0
ip address 200.0.0.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 189.0.0.1 255.255.255.252
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
cat R2.cfg
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname R2
!
logging queue-limit 100
!
memory-size iomem 15
ip subnet-zero
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 01234abcde address 200.0.0.2
!
!
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
!
crypto map pipe-1 1 ipsec-isakmp
set peer 200.0.0.2
set security-association lifetime kilobytes 80000
set security-association lifetime seconds 26400
set transform-set set1
match address 101
!
interface Loopback0
ip address 172.16.0.1 255.255.255.255
ip nat inside
!
interface FastEthernet0/0
ip address 189.0.0.2 255.255.255.252
ip nat outside
speed auto
crypto map pipe-1
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 189.0.0.1
no ip http server
no ip http secure-server
!
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 100 permit esp host 200.0.0.2 host 189.0.0.2
access-list 100 permit ahp host 200.0.0.2 host 189.0.0.2
access-list 100 permit udp host 200.0.0.2 host 189.0.0.2 eq isakmp
access-list 101 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
no scheduler allocate
end
Troubleshooting coMMAnds
# show crypto isakmp sa (Phase One)
# show crypto ipsec sa (Phase Two)
# clear crypto sa
# clear crypto isa
# debug crypto ipsec
# debug crypto isakmp
See Also:
biOos
No comments:
Post a Comment