Sunday, October 12, 2014

Debug Cisco Tunnels: Basic Configuration



Tunnels are part of both CCNA and CCNP exams, so it is important to know them, and to know, what to do when they don't want to work. Here I collect the basic configurations for the tunnels which we will debug. I will not explain the configuration, if you need further explanation, please visit www.cisco.com and read the official manuals.

Basic Configuration

R1

hostname R1

interface Serial1/0
 description LinkToR2
 ip address 200.0.0.1 255.255.255.252
 serial restart-delay 0
 no sh

line con 0
 logging synchronous



R2

hostname R2

interface Serial1/0
 description LinkToR1
 ip address 200.0.0.2 255.255.255.252
 serial restart-delay 0
 no sh

line con 0
 logging synchronous

GRE

R1

 interface Tunnel0
  description Tunnel
  ip address 192.168.1.1 255.255.255.0
  tunnel source Serial1/0
  tunnel destination 200.0.0.2

R2

 interface Tunnel0
  description Tunnel
  ip address 192.168.1.2 255.255.255.0
  tunnel source Serial1/0
  tunnel destination 200.0.0.1

Verification:

show logging
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

R1#show ip interface brief | include Tunnel0
Tunnel0                    192.168.1.1     YES manual up                    up

R2#show ip interface brief | include Tunnel0
Tunnel0                    192.168.1.2     YES manual up                    up

R1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms

R2#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/20 ms

IPsec

R1

ip access-list extended IPSEC
 permit gre host 200.0.0.1 host 200.0.0.2

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key secretpassw0rd address 200.0.0.2

crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac

crypto map MAP 10 ipsec-isakmp
 set peer 200.0.0.2
 set transform-set TRANSFORM
 match address IPSEC

interface Serial 1/0
 crypto map MAP

interface Tun0
 crypto map MAP

R2

ip access-list extended IPSEC
 permit gre host 200.0.0.2 host 200.0.0.1

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key secretpassw0rd address 200.0.0.1

crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac

crypto map MAP 10 ipsec-isakmp
 set peer 200.0.0.1
 set transform-set TRANSFORM
 match address IPSEC

interface Serial 1/0
 crypto map MAP

interface Tun0
 crypto map MAP


Verification:
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/28 ms

R2#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/24/52 ms

( Before checking the counters, it could be a good idea to reset them: clear ip access-list counters )

R2#sh ip access-lists
Extended IP access list IPSEC
    10 permit gre host 200.0.0.2 host 200.0.0.1 (15 matches)

R1#sh ip access-lists
Extended IP access list IPSEC
    10 permit gre host 200.0.0.1 host 200.0.0.2 (15 matches)



So you just got a working IPsec over GRE tunnel, in the next posts, they will be unfunctional, so we have to repair them.