Monday, June 23, 2008

Router-to-Router IPSec (RSA Keys) on GRE Tunnel with RIP Configuration Example / Cisco Systems

Router-to-Router IPSec (RSA Keys) on GRE Tunnel with RIP Configuration Example [IPSec Negotiation/IKE Protocols] - Cisco Systems
This document provides a sample configuration for routers with RSA keys. Both routers are configured for RSA keys and IPSec/Generic Routing Encapsulation (GRE) tunnel with Routing Information Protocol (RIP).




Router 101
Building configuration...

Current configuration : 1486 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 101
!
!
clock timezone PST -8
ip subnet-zero
ip domain name cisco.com
ip host 102.cisco.com 20.1.1.2
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
authentication rsa-encr
crypto isakmp identity hostname
crypto isakmp keepalive 20 5
!
!
crypto ipsec transform-set test esp-des esp-sha-hmac
mode transport
!
crypto map test 10 ipsec-isakmp
set peer 20.1.1.2
set transform-set test
match address 101
!
!
crypto key pubkey-chain rsa
named-key 102.cisco.com
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DB4FEB EF0C0D3D
72FC5BD3 29C8E94B 726161BC F1AF337C E5F2D11D FBFC2245 95EA2AB7 9D09156C
08A5A7CD 36E43D94 F1E3C978 37A79379 384D2A72 CE575E91 3F020301 0001
quit
!
!
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.252
ip mtu 1420
tunnel source Ethernet1/0
tunnel destination 20.1.1.2
crypto map test
!
interface Ethernet0/0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet1/0
ip address 20.1.1.1 255.255.255.0
crypto map test
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
router rip
version 2
passive-interface Ethernet1/0
network 10.0.0.0
network 192.168.1.0
!
ip classless
no ip http server
!
!
access-list 101 permit gre host 20.1.1.1 host 20.1.1.2
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

101#

Router 102
102#write terminal
Building configuration...

Current configuration : 1484 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 102
!
!
clock timezone PST -8
ip subnet-zero
ip domain name cisco.com
ip host 101.cisco.com 20.1.1.1
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
authentication rsa-encr
crypto isakmp identity hostname
crypto isakmp keepalive 20 5
!
!
crypto ipsec transform-set test esp-des esp-sha-hmac
mode transport
!
crypto map test 10 ipsec-isakmp
set peer 20.1.1.1
set transform-set test
match address 101
!
!
crypto key pubkey-chain rsa
named-key 101.cisco.com
address 20.1.1.1
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A7D24F E6E15787
5EE1434A A76A3DC1 ADE96A4D C6B4D0F3 A7DDAD10 446EF83A 89D1115F 0C517118
ECAF418E F4C84823 2A017B97 F85690EF EBCF3414 AB3E81F6 A5020301 0001
quit
!
!
!
interface Loopback1
ip address 172.16.1.1 255.255.255.0
!
interface Tunnel0
ip address 10.10.10.2 255.255.255.252
ip mtu 1420
tunnel source Ethernet0/0
tunnel destination 20.1.1.1
crypto map test
!
interface Ethernet0/0
ip address 20.1.1.2 255.255.255.0
crypto map test
!
interface Ethernet1/0
no ip address
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
router rip
version 2
passive-interface Ethernet0/0
network 10.0.0.0
network 172.16.0.0
!
ip classless
no ip http server
!
!
access-list 101 permit gre host 20.1.1.2 host 20.1.1.1
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

102#




Related Information:
IPSec Support Page

No comments: