Sunday, February 3, 2013

IPsec within IPsec: Double tunnel site to site

The below example forms a site to site ipsec tunnel between R1 and R2.
Once configured one more tunnel is formed between R4 and R3.

R1 & R2 encapsulates encrypted packet for internal LAN represented by R4 2.2.2.0 and R3 3.3.3.0 subnet.
So, R4 to R3 tunnel goes encrypted with R1 R2 tunnel.


R1 Config:
crypto logging session
!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 lifetime 300
crypto isakmp key CHAMP address 1.1.1.2 255.255.255.0
!
!
crypto ipsec transform-set TS esp-des esp-sha-hmac
crypto mib ipsec flowmib history failure size 100
!
crypto map mapme 1 ipsec-isakmp
 description tunnel2
 set peer 1.1.1.2
 set security-association replay window-size 1024
 set transform-set TS
 match address 101
 qos pre-classify
!
!
!
interface FastEthernet0/0
 ip address 2.2.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map mapme
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 3.3.3.0 255.255.255.0 1.1.1.2
ip route 200.200.200.0 255.255.255.0 FastEthernet0/1
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255


R2 Config:

crypto logging session
!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 lifetime 300
crypto isakmp key CHAMP address 1.1.1.1 255.255.255.0
!
!
crypto ipsec transform-set TS esp-des esp-sha-hmac
crypto mib ipsec flowmib history failure size 100
!
crypto map mapme 1 ipsec-isakmp
 description tunnel2
 set peer 1.1.1.1
 --More--          set security-association replay window-size 1024
 set transform-set TS
 match address 101
 qos pre-classify
!
!
!
interface FastEthernet0/0
 ip address 1.1.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map mapme
!
interface FastEthernet0/1
 ip address 3.3.3.1 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 2.2.2.0 255.255.255.0 FastEthernet0/0
ip route 200.200.200.0 255.255.255.0 FastEthernet0/1
!
no ip http secure-server
!
access-list 101 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255
!

R3 Config:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key CHAMEY address 2.2.2.1 255.255.255.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map mapme 1 ipsec-isakmp
 set peer 2.2.2.1
 set transform-set TS
 match address 101
!
!
 --More--         !
interface Loopback1
 ip address 200.200.200.200 255.255.255.0
!
interface FastEthernet0/0
 ip address 3.3.3.2 255.255.255.0
 duplex auto
 speed auto
 crypto map mapme
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip http server
no ip http secure-server
!
access-list 101 permit ip host 200.200.200.200 192.168.1.0 0.0.0.255

R4 Config:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key CHAMEY address 3.3.3.2 255.255.255.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map mapme 1 ipsec-isakmp
 set peer 3.3.3.2
 set transform-set TS
 match address 101
!
!
!
interface FastEthernet0/0
 ip address 2.2.2.1 255.255.255.0
 duplex auto
 speed auto
 crypto map mapme
!
interface FastEthernet0/1             //* F0/1 connects to cloud which connects to my  LAN adapter
 ip address 192.168.1.35 255.255.255.0 
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1            
ip route 1.1.1.0 255.255.255.0 FastEthernet0/0
ip route 3.3.3.0 255.255.255.0 FastEthernet0/0
ip route 200.200.200.0 255.255.255.0 FastEthernet0/0

!
ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 200.200.200.200
!



We will discuss in detail IPsec later in series....
I hope you tried it and had fun learning it!

-Anupam

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)