Roshan's Networking Blog

Tuesday, October 15, 2019

DMVPN Tunneling

Posted On

Tuesday, October 15, 2019

DMVPN (Dynamic Multi-point VPN) is a tunneling technology which we can implement through Internet using internet edge routers to make interconnections in site-to-site fashion.

There are several concepts involve in DMVPN..

1. GRE
2. Multi-point GRE
3. NHRP
4. Routing
5. IPSec

GRE (Generic Routing Encapsulation) is the most basic L3 tunneling technology in networking. To learn GRE configuration please go here.

Multi-Point GRE (mGRE) is an extension of GRE where we don't specify the tunnel destination and let a one tunnel interface to form many tunnels with several remote destinations.

NHRP (Next Hop Resolution Protocol) is allowing spokes to directly form tunnels with other spokes. This is achieved by a 1 router (hub) acting as a server (NHS) which stores a database of the public addresses of all the spoke routers. Note that we are talking about Hub & Spoke type of topology which the DMVPN is natively implemented.

Routing is needed of course to identify the routes in WAN sites. We can use any dynamic routing protocol or static routes for L3 routing. If you are going to use a dynamic routing protocol, you should enable multicast traffic on tunnels.

IPSec is for security. Because DMVPN is implemented through internet, it is recommended to use this security framework.

There are 3 Phases (ways of implementation) of DMVPN.. We will get through each Phase with configuration in this post. Following topology will be used..

Phase 2

This is where the Spokes can dynamically create multiple tunnels directly in between Spokes. Configuration is inherited from Phase 1 and change only in Spoke routers. In Phase 2 we remove the tunnel destination command and replace it with tunnel mode gre multipoint command.

So the Configuration on routers will be like the following..

R1(config)#interface Tunnel 0
R1(config-if)#ip address 192.168.123.1 255.255.255.0
R1(config-if)#ip nhrp authentication PASSWORD
R1(config-if)#ip nhrp network-id 1
R1(config-if)#tunnel source e0/0
R1(config-if)#tunnel mode gre multipoint

R2(config)#interface Tunnel0
R2(config-if)#ip address 192.168.123.2 255.255.255.0
R2(config-if)#ip nhrp authentication PASSWORD
R2(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R2(config-if)#ip nhrp network-id 1
R2(config-if)#ip nhrp nhs 192.168.123.1
R2(config-if)#tunnel source e0/0
R2(config-if)#tunnel mode gre multipoint

R3(config)#interface Tunnel0
R3(config-if)#ip address 192.168.123.3 255.255.255.0
R3(config-if)#ip nhrp authentication PASSWORD
R3(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R3(config-if)#ip nhrp network-id 1
R3(config-if)#ip nhrp nhs 192.168.123.1
R3(config-if)#tunnel source e0/0
R3(config-if)#tunnel mode gre multipoint

Phase 3

This Phase changes the way NHRP operates. When a Spoke wants to reach something which is reachable via DMVPN, it sends the traffic to the Hub and the Hub after realizing that this traffic must reach another Spoke, what it will do is that it sends NHRP redirects to both the Spokes. When Spokes receive the redirects, both of them send NHRP resolution to figure out the NBMA addresses. The Spoke routers then stores a new route in the routing tables (override with %) so that they can reach each other directly..

Following is how you can see something like that.

ip nhrp redirect command in the Hub and ip nhrp shortcut command in Spokes are additionally added to the Phase 2 configuration to achieve this..

R1(config)#interface Tunnel 0
R1(config-if)#ip address 192.168.123.1 255.255.255.0
R1(config-if)#ip nhrp authentication PASSWORD
R1(config-if)#ip nhrp network-id 1
R1(config-if)#ip nhrp redirect
R1(config-if)#tunnel source e0/0
R1(config-if)#tunnel mode gre multipoint

R2(config)#interface Tunnel0
R2(config-if)#ip address 192.168.123.2 255.255.255.0
R2(config-if)#ip nhrp authentication PASSWORD
R2(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R2(config-if)#ip nhrp network-id 1
R2(config-if)#ip nhrp nhs 192.168.123.1
R2(config-if)#ip nhrp shortcut
R2(config-if)#tunnel source e0/0
R2(config-if)#tunnel mode gre multipoint

R3(config)#interface Tunnel0
R3(config-if)#ip address 192.168.123.3 255.255.255.0
R3(config-if)#ip nhrp authentication PASSWORD
R3(config-if)#ip nhrp map 192.168.123.1 13.18.12.1
R3(config-if)#ip nhrp network-id 1
R3(config-if)#ip nhrp nhs 192.168.123.1
R3(config-if)#ip nhrp shortcut
R3(config-if)#tunnel source e0/0
R3(config-if)#tunnel mode gre multipoint

Using IPSec over DMVPN is discussed in the following post..

IPSec Over DMVPN

Posted in

Routing

Sunday, October 13, 2019

IPSec over Dynamic Virtual Tunnel Interface using Virtual Template

Posted On

Sunday, October 13, 2019

IPSec over GRE Tunneling with Crypto Maps on Cisco IOS

Before reading this, I suggest going through the following posts I wrote earlier because this post is going to be an extension to those.

IPSec over Static Virtual Tunnel Interface on Cisco IOS

Loopbacks Sourced IPSec VPN Configuration with Crypto Maps on Cisco IOS
IPSec Site-to-Site VPN Configuration with Crypto Maps on Cisco IOS
Configuring GRE Tunnels

Topology looks like the following..

Provider network is marked in blue. Set up has 3 routers which are connected over the internet. They represent 3 sites and 3 PCs are here to test connectivity. I hope the IP addressing scheme is clear for anyone as it is in the diagram. SP router has the 2nd IP of the point to point links and default routes are statically configured to that IP from R1, R2 & R3.

Let's continue with the configuration..

Following are the steps.

1. Define the Key Ring
2. Create IKE Phase 1 Policy
3. Create IKE Phase 2 Policy
4. Create IPSec Profile
5. Create Virtual Template
6. Create ISAKMP Profile
7. Configure Dynamic Routing Protocol

Let's take R1 as the Hub,

1. Define the Key Ring

For this setup, I am going to use a key ring which has a unique key for each peer.

R1(config)#crypto keyring KEY_RING
R1(conf-keyring)#pre-shared-key address 26.68.13.1 key R1R2
R1(conf-keyring)#pre-shared-key address 32.18.32.1 key R1R3

2. Create IKE Phase 1 Policy

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 5
R1(config-isakmp)#authentication pre-share

3. Create IKE Phase 2 policy

R1(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel

4. Create IPSec Profile

This is a replacement for the crypto map and used for tunnel interfaces.

R1(config)#crypto ipsec profile IPSEC_PROFILE
R1(ipsec-profile)#set transform-set TSET

5. Create the Virtual Template

Virtual template is something we create for interface related configuration. This information is copied to create the virtual access interface per tunnel. IP address is copied from the loopback interface.

R1(config)#interface virtual-template 1 type tunnel
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#ip unnumbered loopback 0
R1(config-if)#tunnel protection ipsec profile IPSEC_PROFILE

6. Create the ISAKMP Profile

This is where we define the key ring, the remote peers and the virtual template.

R1(config)#crypto isakmp profile ISAKMP_PROFILE
R1(conf-isa-prof)#match identity address 26.68.13.1
R1(conf-isa-prof)#match identity address 32.18.32.1
R1(conf-isa-prof)#keyring KEY_RING
R1(conf-isa-prof)#virtual-template 1

7. Configure Dynamic Routing Protocol

This is needed to reach the networks where the hosts are.

R1(config)#router ospf 1
R1(config-router)#network 1.1.1.1 0.0.0.0 area 0
R1(config-router)#network 192.168.1.0 0.0.0.255 area 0

Other routers (Spokes) do not require DVTIs (Dynamic Virtual Tunnel Interface) to be configured. Only Static VTI is enough.

So R2's configuration will be like the following..

crypto isakmp key R1R2 address 13.18.12.1

crypto isakmp policy 1
encryption aes
hash sha
group 5
authentication pre-share

crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel

crypto ipsec profile IPSEC_PROFILE
set transform-set TRANSFORM_SET

interface Tunnel 0
ip unnumbered loopback 0
tunnel source e0/0
tunnel destination 13.18.12.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE

router ospf 1
network 2.2.2.2 0.0.0.0 area 0
network 192.168.2.0 0.0.0.255 area 0

R3's configuration will be like the following..

crypto isakmp key R1R3 address 13.18.12.1

crypto isakmp policy 1
encryption aes
hash sha
group 5
authentication pre-share

crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel

crypto ipsec profile IPSEC_PROFILE
set transform-set TRANSFORM_SET

interface Tunnel 0
ip unnumbered loopback 0
tunnel source e0/0
tunnel destination 13.18.12.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE

router ospf 1
network 3.3.3.3 0.0.0.0 area 0
network 192.168.3.0 0.0.0.255 area 0

Following show commands will verify the work..

Note that virtual template interface is down and virtual access interfaces are up. This is the normal behavior.

As you can see on the above outputs, OSPF neighbor is formed through the virtual access interfaces.
I think the multicast hello is encapsulated and sent through the tunnel and that is how the OSPF neighbor relationship is formed in the 1st place..
A ping and a traceroute to PC3 from PC1 will like the following..

Posted in

Tuesday, October 8, 2019

IPSec over Static Virtual Tunnel Interface on Cisco IOS

Posted On

Tuesday, October 08, 2019

IPSec over GRE Tunneling with Crypto Maps on Cisco IOS

Please read my post on IPSec over GRE Tunneling with Crypto Maps on Cisco IOS before reading this because this post explains how we can do same kind of thing without ACLs and Crypto Maps. So this method will be much more simpler and straight forward.

Following links will give you much idea about what I am going to do here.

Loopbacks Sourced IPSec VPN Configuration with Crypto Maps on Cisco IOS
IPSec Site-to-Site VPN Configuration with Crypto Maps on Cisco IOS
Configuring GRE Tunnels

Topology looks like the following..

Configuration of R1 will look like the following..

R1(config)#int e0/1

R1(config-if)#ip ospf 1 area 0

R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2

R1(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3

R1(config)#crypto isakmp policy 1

R1(config-isakmp)#hash sha

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#group 2

R1(config-isakmp)#lifetime 60

R1(config-isakmp)#encryption aes

R1(config)#crypto isakmp key PASSWORD address 3.3.3.3

R1(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

R1(config)#crypto ipsec profile IPSECPROFILE

R1(ipsec-profile)#set transform-set TRANSFORMSET

R1(config)#int t0

R1(config-if)#ip address 13.13.13.1 255.255.255.0

R1(config-if)#tunnel source loopback0

R1(config-if)#tunnel destination 3.3.3.3

R1(config-if)#ip ospf 1 area 0

R1(config-if)#tunnel mode ipsec ipv4

R1(config-if)#tunnel protection ipsec profile IPSECPROFILE

Configuration of R3 will be like the following..

R3(config)#int e0/1

R3(config-if)#ip ospf 1 area 0

R3(config)#ip route 192.168.12.0 255.255.255.0 192.168.12.1

R3(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1

R3(config)#crypto isakmp policy 1

R3(config-isakmp)#hash sha

R3(config-isakmp)#authentication pre-share

R3(config-isakmp)#group 2

R3(config-isakmp)#lifetime 60

R3(config-isakmp)#encryption aes

R3(config)#crypto isakmp key PASSWORD address 1.1.1.1

R3(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

R3(config)#crypto ipsec profile IPSECPROFILE

R3(ipsec-profile)#set transform-set TRANSFORMSET

R3(config)#int t0

R3(config-if)#ip address 13.13.13.3 255.255.255.0

R3(config-if)#tunnel source loopback0

R3(config-if)#tunnel destination 3.3.3.3

R3(config-if)#ip ospf 1 area 0

R3(config-if)#tunnel mode ipsec ipv4

R3(config-if)#tunnel protection ipsec profile IPSECPROFILE

Also not to forget that the R2 needs following routes to route the traffic between R1 and R3,

R2(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1

R2(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3

Red lines shows the new changes done. We have removed ACLs and Crypto Maps and we have created something called an IPSec profile and set the transform set and directly applied in to the tunnel interface.

Following show command will verify the implementation..

R1#show crypto ipsec sa

Note :-

We can use static routes here instead of dynamic routing. Point is the route must be pointed to the tunnel interface.

Aslo note that the IPSec peer address is taken from the tunnel source and destination, this can be a physical interface instead of the loopbacks I have used here.

Posted in

IPSec over GRE Tunneling with Crypto Maps on Cisco IOS

Posted On

Tuesday, October 08, 2019

This post is an extension of my previous post where I configured a Loopbacks Sourced IPSec VPN with Crypto Maps on Cisco IOS and this time we are going to secure a GRE tunnel using IPSec.

Please refer my previous posts from following links for further understanding the concepts..

Loopbacks Sourced IPSec VPN Configuration with Crypto Maps on Cisco IOS
IPSec Site-to-Site VPN Configuration with Crypto Maps on Cisco IOS
Configuring GRE Tunnels

Here, I am only discussing the new commands I enter to make this work.

Following image will give you a high level understanding of ho this works.

So as you can see, OSPF neighbor adjacency will be formed through the GRE tunnel (interface tunnel 0) and will exchange the user segments. Loopback interfaces will be the sources of the GRE tunnel and IPSec peer will be in between the Loopbacks. Finally as always the Crypto Maps will be applied to the physical interface.

Actual setup will be like the following..

Configuration of R1 will be like the following..

R1(config)#int t0
R1(config-if)#ip address 13.13.13.1 255.255.255.0
R1(config-if)#tunnel source loopback0
R1(config-if)#tunnel destination 3.3.3.3
R1(config-if)#ip ospf 1 area 0

R1(config)#int e0/1
R1(config-if)#ip ospf 1 area 0

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 60
R1(config-isakmp)#encryption aes

R1(config)#crypto isakmp key PASSWORD address 3.3.3.3

R1(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

R1(config)#ip access-list extended 150
R1(config-ext-nacl)#permit gre host 1.1.1.1 host 3.3.3.3

R1(config-crypto-map)#crypto map CRYPTOMAP 10 ipsec-isakmp
R1(config-crypto-map)#match address 150
R1(config-crypto-map)#set transform-set TRANSFORMSET
R1(config-crypto-map)#set peer 3.3.3.3

R1(config)#crypto map CRYPTOMAP local-address Loopback0

R1(config-crypto-map)#int e0/0
R1(config-if)#crypto map CRYPTOMAP

R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
R1(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3

Configuration of R3 will be like the following..

R3(config)#int t0
R3(config-if)#ip address 13.13.13.3 255.255.255.0
R3(config-if)#tunnel source loopback0
R3(config-if)#tunnel destination 1.1.1.1
R3(config-if)#ip ospf 1 area 0

R3(config)#int e0/1
R3(config-if)#ip ospf 1 area 0

R3(config)#crypto isakmp policy 1
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 60
R3(config-isakmp)#encryption aes

R3(config)#crypto isakmp key PASSWORD address 1.1.1.1

R3(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

R3(config)#ip access-list extended 150
R3(config-ext-nacl)#permit gre host 3.3.3.3 host 1.1.1.1

R3(config)#crypto map CRYPTOMAP 10 ipsec-isakmp
R3(config-crypto-map)#match address 150
R3(config-crypto-map)#set transform-set TRANSFORMSET
R3(config-crypto-map)#set peer 1.1.1.1

R3(config)#crypto map CRYPTOMAP local-address Loopback0

R3(config-crypto-map)#int e0/0
R3(config-if)#crypto map CRYPTOMAP

R3(config)#ip route 192.168.12.0 255.255.255.0 192.168.23.2
R3(config)#ip route 1.1.1.1 255.255.255.255 192.168.12.1

For this topology, we need to configure routing in R2 for the loopbacks because the packet has the source and destination IP addresses to match the peer IP addresses (loopbacks) of the tunnel.

R2(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1

R2(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3

Routing table of R1 will be like the following..

Following show commands verify the implementation..

Posted in

Loopbacks Sourced IPSec VPN Config with Crypto Maps on Cisco IOS

Posted On

Tuesday, October 08, 2019

This post is an extension to the previous post I wrote on IPSec Site-to-Site VPN Configuration with Crypto Maps on Cisco IOS and this time we are using Loopback IPs to form the IPSec tunnel. So please refer the detailed step by step explanation of the commands I entered in it. Most of the commands in that post will be used here but only the special commands will be discussed.

Following image shows a high level overview of how this is working.

As you can see, Crypto Maps will always be applied to the physical interface though IPSec peers are configured to base on Loopbacks (logical interfaces).

Actual setup we use is like the following..

This is almost the same topology used in my previous post I mentioned above. Additionally gateways for user LANs are configured as 11.11.11.254 on R1 and 33.33.33.254 on R3 to test the data traffic.

So the configuration on R1 will be like the following..

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 60
R1(config-isakmp)#encryption aes

R1(config)#crypto isakmp key PASSWORD address 3.3.3.3

R1(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

R1(config)#ip access-list extended 150
R1(config-ext-nacl)#permit ip 11.11.11.0 0.0.0.255 33.33.33.0 0.0.0.255

R1(config-crypto-map)#crypto map CRYPTOMAP 10 ipsec-isakmp
R1(config-crypto-map)#match address 150
R1(config-crypto-map)#set transform-set TRANSFORMSET
R1(config-crypto-map)#set peer 3.3.3.3

R1(config)#crypto map CRYPTOMAP local-address Loopback0

R1(config-crypto-map)#int e0/0
R1(config-if)#crypto map CRYPTOMAP

R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
R1(config)#ip route 33.33.33.0 255.255.255.255 192.168.23.3
R1(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3

Configuration on R3 will be like the following..

R3(config)#crypto isakmp policy 1
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 60
R3(config-isakmp)#encryption aes

R3(config)#crypto isakmp key PASSWORD address 1.1.1.1

R3(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

R3(config)#ip access-list extended 150
R3(config-ext-nacl)#permit ip 33.33.33.0 0.0.0.255 11.11.11.0 0.0.0.255

R3(config)#crypto map CRYPTOMAP 10 ipsec-isakmp
R3(config-crypto-map)#match address 150
R3(config-crypto-map)#set transform-set TRANSFORMSET
R3(config-crypto-map)#set peer 1.1.1.1

R3(config)#crypto map CRYPTOMAP local-address Loopback0

R3(config-crypto-map)#int e0/0
R3(config-if)#crypto map CRYPTOMAP

R3(config)#ip route 192.168.12.0 255.255.255.0 192.168.23.2
R3(config)#ip route 1.1.1.1 255.255.255.255 192.168.12.1
R3(config)#ip route 11.11.11.0 255.255.255.255 192.168.12.1

For this topology, we need to configure routing in R2 for the loopbacks because the packet has the source and destination IP addresses to match the peer IP addresses (loopbacks) of the tunnel.

R2(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1
R2(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3

Following show commands verify the implementation.

Posted in

Thursday, October 3, 2019

Traffic Analysis of IPSec Site-to-Site VPN (Phase 1 - Main Mode)

Posted On

Thursday, October 03, 2019

IPSec Site-to-Site VPN Configuration with Crypto Maps on Cisco IOS

I am going to analyse the packet flow of the IPSec VPN I configured on the following post.

So please use it as the reference.

The packet capture can be downloaded from here.

The flow looks like the following when I ping from R1's Loopback to R3's Loopback for the 1st time.

1st 6 packets are because of the Main Mode of the IKE Phase 1 and the next 3 packets are from IKE Phase 2 Quick Mode and next 8 packets are because of the ICMP traffic I pinged which are the actual data. 8 packets are here because of the sent and received replies for 4 complete ICMP pings and the 1st ping is dropped as you can see.

If you analysed the 1st 2 packets, you will see the parameters are negotiating from both ends..

In 3rd and 4th packets you will find the DH keys are exchanged with nounce from both parties.

5th and 6th massages are now encrypted from the generated keys, so the content will not be visible. They will be used for identification and authentication of each peer.

Actually the later packets are all encrypted. So you want find much information from packet capture.

Note:-
When you hit the command ping 3.3.3.3 and if the outgoing interface is configured with a crypto map which matches the traffic in ACL, the destination address of the packet will be the peer address of the crypto map (192.168.23.3) for both Tunnel and Transport modes.

Posted in

IPSec Site-to-Site VPN Configuration with Crypto Maps on Cisco IOS

Posted On

Thursday, October 03, 2019

Consider the following topology, I am going to configure most basic IPSec Site-to-Site VPN between R1 and R3. I will configure R1's E0/0:192.168.12.1 and R3's E0/0:192.168.23.3 as tunnel ends which will be used to reach the Loop back interfaces of R1(1.1.1.1/32) & R3(3.3.3.3/32).

For IPSec related theory please go here.

There are 6 steps in the configuration process per router.

1. Configure ISAKMP policy with (HAGLE)
2. Configure Keys
3. Configure Transform Set for IPSec
4. Configure ACL for Interesting Traffic
5. Configure Crypto Map
6. Apply Crypto Map on interface

STEP 01 : Configure ISAKMP policy

This is the step which we define the IKE Phase 1 tunnel parameters which you can remember as HAGLE.

H - Hash Type
A - Authentication Method
G - Groups (DH)
L - Lifetime
E - Encryption Method

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 60
R1(config-isakmp)#encryption aes

STEP 02 : Configure Keys

R1(config)#crypto isakmp key PASSWORD address 192.168.23.3

STEP 03 : Configure Transform Set for IPSec

Transfrom set is an acceptable combination of security protocols and algorithms.
esp-ace is used for ESP Encryption and esp-sha-hmac is used for ESP Authentication.

R1(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

STEP 04 : Configure ACL for Interesting Traffic

R1(config)#ip access-list extended 100
R1(config-ext-nacl)#permit ip host 1.1.1.1 host 3.3.3.3

STEP 05 : Configure Crypto Map

Crypto Map is where we match the interesting traffic and set the peer and transform set.

R1(config-crypto-map)#crypto map CRYPTOMAP 10 ipsec-isakmp
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set transform-set TRANSFORMSET
R1(config-crypto-map)#set peer 192.168.23.3

STEP 06 : Apply Crypto Map on interface

R1(config)#int e0/0
R1(config-if)#crypto map CRYPTOMAP

Additionally we will need some routing for IPSec to work too.

R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
R1(config)#ip route 3.3.3.3 255.255.255.255 192.168.23.3

1st route is to identify the tunnel destination which should be known via underlay routing and the 2nd route is to identify the destination of the interesting traffic which points to the tunnel destination.

Same should be configured on R3 as per it's perspective like the following..

R3(config)#crypto isakmp policy 1
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 60
R3(config-isakmp)#encryption aes

R3(config)#crypto isakmp key PASSWORD address 192.168.12.1

R3(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

R3(config)#ip access-list extended 100
R3(config-ext-nacl)#permit ip host 3.3.3.3 host 1.1.1.1

R3(config)#crypto map CRYPTOMAP 10 ipsec-isakmp
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#set peer 192.168.12.1
R3(config-crypto-map)#set transform-set TRANSFORMSET

R3(config-crypto-map)#int e0/0
R3(config-if)#crypto map CRYPTOMAP

R3(config)#ip route 192.168.12.0 255.255.255.0 192.168.23.2
R3(config)#ip route 1.1.1.1 255.255.255.255 192.168.12.1

Now pings from R1's loopback to R3's loopback and vice versa will work.

For verification,following commands can be used.

show crypto map interface e0/0

show crypto ipsec sa

Note :-
You may notice that ISAKMP policy is not called per Crypto Map. It will be called for all the VPNs while IKE Phase 1 tunnel is forming. If a separate ISAKMP policy is needed per VPN, ISAKMP Profiles must be configured and must be called in IPSec Profiles per VPN.

Also note that there are 2 SPI (Security Parameter Index) is for each VPN, (inbound and outbound).
Inbound SPI of R1 is equal to the outbound SPI of R3 by value and Outbound SPI of R1 is equal to the inbound SPI of R3.

If you want to see a packet capture for this, please go here.

Also note that in IPSec, an ACL can capture locally generated traffic.

Posted in