OSPF over GRE over IPsec

R1#ping 192.168.2.254 repeat 100000

Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 192.168.2.254, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!.
Success rate is 99 percent (365/366), round-trip min/avg/max = 68/100/232 ms
R1#
R1#
R1#
R1#
R1#
R1#
R1#
R1#
R1#
R1#
R1#
R1#
R1#sho run
R1#sho running-config
Building configuration...

Current configuration : 1662 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip tcp synwait-time 5
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key ipsec address 10.0.2.1
!
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
!
crypto map MAP1 1 ipsec-isakmp
 set peer 10.0.2.1
 set transform-set IPSEC
 match address ACL1
!
!
!
!
interface Tunnel1
 ip address 100.0.0.1 255.255.255.252
 tunnel source GigabitEthernet1/0
 tunnel destination 10.0.2.1
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 ip address 10.0.1.1 255.255.255.252
 negotiation auto
 crypto map MAP1
!
interface GigabitEthernet2/0
 no ip address
 shutdown
 negotiation auto
!
router ospf 1
 log-adjacency-changes
 network 100.0.0.0 0.0.0.3 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/0
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended ACL1
 permit gre host 10.0.1.1 host 10.0.2.1
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

R1#sho cry isa sa
dst             src             state          conn-id slot status
10.0.2.1        10.0.1.1        QM_IDLE              1    0 ACTIVE

R1#sho cry ipsec sa

interface: GigabitEthernet1/0
    Crypto map tag: MAP1, local addr 10.0.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.2.1/255.255.255.255/47/0)
   current_peer 10.0.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 454, #pkts encrypt: 454, #pkts digest: 454
    #pkts decaps: 428, #pkts decrypt: 428, #pkts verify: 428
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 16, #recv errors 0

     local crypto endpt.: 10.0.1.1, remote crypto endpt.: 100.0.0.2
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 10.0.1.1, remote crypto endpt.: 10.0.2.1
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1/0
     current outbound spi: 0x4206FCA5(1107754149)

     inbound esp sas:
      spi: 0x283F14B1(675222705)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: MAP1
        sa timing: remaining key lifetime (k/sec): (4569184/3013)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4206FCA5(1107754149)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: MAP1
        sa timing: remaining key lifetime (k/sec): (4569180/3013)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R1#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     100.0.0.0/30 is subnetted, 1 subnets
C       100.0.0.0 is directly connected, Tunnel1
     10.0.0.0/30 is subnetted, 1 subnets
C       10.0.1.0 is directly connected, GigabitEthernet1/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
O    192.168.2.0/24 [110/11112] via 100.0.0.2, 00:01:19, Tunnel1
S*   0.0.0.0/0 is directly connected, GigabitEthernet1/0
R1#

R1#sho ip os neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.2.254     0   FULL/  -        00:00:36    100.0.0.2       Tunnel1
R1#




R1#show ip os interface
Tunnel1 is up, line protocol is up
  Internet Address 100.0.0.1/30, Area 0
  Process ID 1, Router ID 192.168.1.254, Network Type POINT_TO_POINT, Cost: 11111
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:00
  Supports Link-local Signaling (LLS)
  Index 3/3, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 192.168.2.254
  Suppress hello for 0 neighbor(s)
FastEthernet0/0 is up, line protocol is up
  Internet Address 192.168.1.254/24, Area 0
  Process ID 1, Router ID 192.168.1.254, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 192.168.1.254, Interface address 192.168.1.254
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:08
  Supports Link-local Signaling (LLS)
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0
  Suppress hello for 0 neighbor(s)
R1#



Netwrk Typeは POINT_TO_POINTになる。

DR/BDRは存在しない。

peerは自動で見つかる。


















R3#sho running-config
Building configuration...

Current configuration : 1664 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip tcp synwait-time 5
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key ipsec address 10.0.1.1
!
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
!
crypto map MAP1 1 ipsec-isakmp
 set peer 10.0.1.1
 set transform-set IPSEC
 match address ACL1
!
!
!
!
interface Tunnel1
 ip address 100.0.0.2 255.255.255.252
 tunnel source GigabitEthernet2/0
 tunnel destination 10.0.1.1
!
interface FastEthernet0/0
 ip address 192.168.2.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 10.0.2.1 255.255.255.252
 negotiation auto
 crypto map MAP1
!
router ospf 1
 log-adjacency-changes
 network 100.0.0.0 0.0.0.255 area 0
 network 192.168.2.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2/0
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended ACL1
 permit gre host 10.0.2.1 host 10.0.1.1
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

R3#sho cry isa sa
dst             src             state          conn-id slot status
10.0.2.1        10.0.1.1        QM_IDLE              1    0 ACTIVE

R3#sho cry ipsec sa

interface: GigabitEthernet2/0
    Crypto map tag: MAP1, local addr 10.0.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.2.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.1.1/255.255.255.255/47/0)
   current_peer 10.0.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 428, #pkts encrypt: 428, #pkts digest: 428
    #pkts decaps: 454, #pkts decrypt: 454, #pkts verify: 454
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.2.1, remote crypto endpt.: 100.0.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 10.0.2.1, remote crypto endpt.: 10.0.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2/0
     current outbound spi: 0x283F14B1(675222705)

     inbound esp sas:
      spi: 0x4206FCA5(1107754149)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: MAP1
        sa timing: remaining key lifetime (k/sec): (4550791/3020)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x283F14B1(675222705)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: MAP1
        sa timing: remaining key lifetime (k/sec): (4550795/3020)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R3#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     100.0.0.0/30 is subnetted, 1 subnets
C       100.0.0.0 is directly connected, Tunnel1
     10.0.0.0/30 is subnetted, 1 subnets
C       10.0.2.0 is directly connected, GigabitEthernet2/0
O    192.168.1.0/24 [110/11112] via 100.0.0.1, 00:01:26, Tunnel1
C    192.168.2.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 is directly connected, GigabitEthernet2/0
R3#

R3#sho ip os neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
192.168.1.254     0   FULL/  -        00:00:36    100.0.0.1       Tunnel1
R3#