show run interface tunnel-ip 12
interface tunnel-ip12
description grr0 tunnel to juniper-CR1SEA01
ipv4 address 10.19.1.1 255.255.255.252
load-interval 30
tunnel source 2.2.2.2
keepalive 30 3
tunnel destination 1.1.1.1
!
Intf Intf LineP Encap MTU BW
Name State State Type (byte) (Kbps)
--------------------------------------------------------------------------------
ti12 up up TUNNEL_GRE 1500 100
Okay, so what about vpn tunnels?
They have a tunnel naming convention of tunnel-ipsec xxx. And you can re-use a tunnel-ip ## for a tunnel-ipsec interface, but it's best practice to give each tunnel a unique imho.
e.g
show int tunnel-ipsec 99 br
Wed Sep 01 03:44:31.166 UTC
Intf Intf LineP Encap MTU BW
Name State State Type (byte) (Kbps)
--------------------------------------------------------------------------------
ti99 up up IPSec 1476 0
RP/0/RSP0/CPU0:LACORE1#show int tunnel-ip 99 br
Wed Sep 01 03:44:41.493 UTC
Intf Intf LineP Encap MTU BW
Name State State Type (byte) (Kbps)
--------------------------------------------------------------------------------
ti99 down down TUNNEL_GRE 1500 100
So let's look at the step for vpn ipsec tunnels.
1st define your ike policies;
crypto isakmp policy 1
authentication pre-share
encryption 3des
lifetime 86400
!
crypto isakmp policy 10
authentication pre-share
group 2
encryption 3des
!
crypto isakmp policy 20
authentication pre-share
hash md5
group 2
encryption 3des
!
crypto isakmp policy 30
authentication pre-share
group 2
encryption aes
!
crypto isakmp policy 40
authentication pre-share
hash md5
group 2
encryption aes
!
don't forget to enable isakmp;
crypto isakmp
and you can verify it's enabled via the following show command <show crypto isaskmp > ;
sh crypto isakmp
Wed Sep 01 03:47:02.523 UTC
ISAKMP is enable
Keepalive not set
Identity set (IP)
Okay now, we can start the heart of the configuration. Craft your keyring;
crypto keyring key1 vrf default
pre-shared-key address 192.0.2.1 255.255.255.255 key mybigkeyhere
!
Enable the crypto logging status ( optional );
!
crypto logging tunnel-status
!
Build your ike profile and specific your keyring and identity method;
!
crypto isakmp profile isakmp_prof
description IOS-XR VPN
keyring key1
self-identity address
!
Next we build a transform set and ipsec profile where we specify the transform(s) in the profile;
!
crypto ipsec transform-set ESP-AES-md5
transform esp-aes esp-md5-hmac
mode tunnel
!
crypto ipsec transform-set ESP-AES-sha
transform esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec transform-set ESP-3DES-md5
transform esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec transform-set ESP-3DES-sha
transform esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec transform-set ESP-3DES-md5-1
transform esp-3des esp-md5-hmac
mode transport
!
and;
!
!
ipv4 access-list kenfelixipsec
10 permit ipv4 host 10.200.1.253 10.150.252.0/24
20 permit ipv4 10.150.252.0/24 host 10.200.1.253
!
!
crypto ipsec profile ipsecprofile
set pfs group2
set type static
match kenfelixipsec transform-set ESP-AES-md5
!
and we craft our peer address
!
crypto isakmp peer address xx.xxx.xxx.xxx vrf default
description "for socpuppets blog "
and we apply the profile to our interface;
RP/0/RSP0/CPU0:LACORE1#show run interface tunnel-ipsec 10
Wed Sep 01 03:56:22.061 UTC
interface tunnel-ipsec10
profile ipsecprofile
tunnel source Loopback5
tunnel destination xx.xxx.xxx.xxx
!
We can get tunnel-ipsec details via the following show comamnd;
show crypto ipsec interface
Wed Sep 01 03:58:08.406 UTC
--------------- IPSec interface ----------------
Interface tunnel-ipsec99, mode Tunnel, intf_handle 0x80001A0
Locations , VRF default (60000000)
Number of profiles 0, number of flows 0
Tunnel: source 0.0.0.0, destination 0.0.0.0, tunnel VRF default
DF-bit: Copy, pre-fragmentation Enable
default pmtu: 9216
No flows on this interface.
--------------- IPSec interface ----------------
Interface tunnel-ipsec10, mode Tunnel, intf_handle 0x80000A0
Locations , VRF (60000000)
Number of profiles 1, number of flows 0
Tunnel: source 192.02.1.49, destination 172.16.22.73, tunnel VRF default
DF-bit: Copy, pre-fragmentation Enable
default pmtu: 9216
No flows on this interface.
Keep this thought in mind;
IOS-XR is limited on tunnel-mode and only supports ipv4 gre
If you define policy type of "set type static" ios-xr is acting on the peer defined..
A crypto profiles replaces the legacy crypto map
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment