*************************** DMVPN *************************** ============================================== Lab 1 - DMVPN with EIGRP - Base setup ============================================== ----------------------- R1 - NHS - Routing Hub ----------------------- Interface Tunnel1 ip address 192.168.1.1 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map multicast dynamic no ip split-horizon eigrp 123 ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----------------------- R2 - Client - Spoke ----------------------- Interface Tunnel1 ip address 192.168.1.2 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----------------------- R3 - Client - Spoke ----------------------- Interface Tunnel1 ip address 192.168.1.3 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----------------------- R4 - Client - Spoke ----------------------- Interface Tunnel1 ip address 192.168.1.4 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----------------------- R5 - Client - Spoke ----------------------- Interface Tunnel1 ip address 192.168.1.5 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ============================================== Lab 2 - DMVPN - Phase I ============================================== -> In this phase, all the Traffic flows via the Routing Hub (R1). This flow is known as Hub-n-Spoke. -> This is the default Phase in EIGRP -> Verify this by sending a trace from R2 to R3 [10.2.2.2 -> 10.3.3.3] -> All the packets will go via R1. Disadvantage: ---------------- -> Inefficient Traffic forwarding -> Hub becomes a bottleneck Use-case: ---------------- -> This is used in case the company would like to control Spoke to Spoke traffic by using a policy at the Hub. ============================================== Lab 3 - DMVPN - Phase II ============================================== -> In this phase, all the Traffic flows directly from Spoke - To - Spoke. -> This is implemented in Phase II by tweaking the Routing Protocol behavior -> You configure EIGRP NOT to change the next-hop on the Hub. -> This causes the Spokes to receives the routes with the original next hop. Advantages: ---------------- -> Efficient Traffic Forwarding -> The Hub does NOT become a bottleneck Configuration: --------------- ----------------------- R1 - Routing Hub ----------------------- Interface Tunnel1 no ip next-hop-self eigrp 123 R2(config)#do trace 10.3.3.3 source 10.2.2.2 prob 1 numeric Type escape sequence to abort. Tracing the route to 10.3.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.1 1 msec 2 192.168.1.3 2 msec R2(config)#do trace 10.3.3.3 source 10.2.2.2 prob 1 numeric Type escape sequence to abort. Tracing the route to 10.3.3.3 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.3 1 msec ============================================== Lab 4 - DMVPN - Phase III ============================================== -> In this phase, all the Traffic flows directly from Spoke - To - Spoke. -> This is implemented in Phase III by tweaking NHRP. -> You configure NHRP Redirection on the Hub to create a mapping for the LAN Segment directly to its Public IP. -> This redirection is sent to the originator. The originator needs to accept this shortcut. -> It will override the Next-Hop in the routing table Advantages: ---------------- -> Efficient Traffic Forwarding -> The Hub does NOT become a bottleneck -> It allows a more efficient lookup. -> It allows the hub to summarize the LAN Segments. ----------------------- R1 - Routing Hub ----------------------- Interface Tunnel1 ip next-hop-self eigrp 123 ip nhrp redirect ip summary-address eigrp 123 10.0.0.0 255.0.0.0 ip summary-address eigrp 123 172.16.0.0 255.255.0.0 ----------------------- R2-R5 - Clients ----------------------- Interface Tunnel1 ip nhrp shortcut Verification: -------------- R4(config-if)#do trace 10.5.5.5 sou 10.4.4.4 pro 1 num Type escape sequence to abort. Tracing the route to 10.5.5.5 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.1 2 msec 2 192.168.1.5 7 msec R4(config-if)#do trace 10.5.5.5 sou 10.4.4.4 pro 1 num Type escape sequence to abort. Tracing the route to 10.5.5.5 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.5 6 msec R4(config-if)#do sh ip nhrp 10.5.5.0/24 via 192.168.1.5 Tunnel1 created 00:00:10, expire 01:59:49 Type: dynamic, Flags: router rib NBMA address: 192.1.50.5 S* 0.0.0.0/0 [1/0] via 192.1.40.6 10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks D 10.0.0.0/8 [90/27008000] via 192.168.1.1, 00:01:46, Tunnel1 C 10.4.4.0/24 is directly connected, Loopback0 L 10.4.4.4/32 is directly connected, Loopback0 H 10.5.5.0/24 [250/1] via 192.168.1.5, 00:01:08, Tunnel1 ============================================== Lab 5 - IPSec with DMVPN ============================================== ------------------------------- R1 - R5 ------------------------------- ! 1. Phase I Parameters crypto isakmp policy 10 authentication pre-share hash md5 group 2 encryption 3des ! crypto isakmp key Cisco123 address 0.0.0.0 ! 2. Phase II Parameters crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface to encrypt all traffic leaving the Tunnel Interface Tunnel1 tunnel protection ipsec profile IPROF ============================================== Lab 6 - Dual-Hub DMVPN with Phase III ============================================== ---------------------------------------------------- 1. Configure a static relationship between the Hubs ---------------------------------------------------- ----- R1 ----- Interface Tunnel 1 ip address 192.168.1.1 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map multicast 192.1.20.2 ip nhrp map multicast dynamic no ip split-horizon eigrp 123 ip nhrp redirect ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R2 ----- Interface Tunnel 1 ip address 192.168.1.2 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ip nhrp map multicast dynamic no ip split-horizon eigrp 123 ip nhrp redirect ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ---------------------------------------------------- 2. Configure the spokes to point to both Hubs ---------------------------------------------------- ----- R3 ----- Interface Tunnel 1 ip address 192.168.1.3 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp nhs 192.168.1.2 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map multicast 192.1.10.1 ip nhrp map multicast 192.1.20.2 ip nhrp shortcut ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R4 ----- Interface Tunnel 1 ip address 192.168.1.4 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp nhs 192.168.1.2 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map multicast 192.1.10.1 ip nhrp map multicast 192.1.20.2 ip nhrp shortcut ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R5 ----- Interface Tunnel 1 ip address 192.168.1.5 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp nhs 192.168.1.2 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map multicast 192.1.10.1 ip nhrp map multicast 192.1.20.2 ip nhrp shortcut ! router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ---------------------------------------------------- 3. Configure IPSec to encrypt the DMVPN Traffic ---------------------------------------------------- ------------------------------- R1 - R5 ------------------------------- ! 1. Phase I Parameters crypto isakmp policy 10 authentication pre-share hash md5 group 2 encryption 3des ! crypto isakmp key Cisco123 address 0.0.0.0 ! 2. Phase II Parameters crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ! 3. IPSec Profile crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface to encrypt all traffic leaving the Tunnel Interface Tunnel1 tunnel protection ipsec profile IPROF *************************** VRF-Aware VPNs *************************** ======================================================== Lab 7 - Configure CUST-A Network using VRFs on R1 & R2 ======================================================== ------------------------------------------------------------------------------ 1. Create the VRFs on R1 & R2 for CUST-A and assign interfaces to the VRF. ------------------------------------------------------------------------------ ----- R1 ----- vrf definition CUST-A address-family ipv4 ! Interface E0/1 vrf forwarding CUST-A ip address 10.12.12.1 255.255.255.0 no shut ! Interface E0/2 vrf forwarding CUST-A ip address 10.10.10.1 255.255.255.0 no shut ----- R2 ----- vrf definition CUST-A address-family ipv4 ! Interface E0/1 vrf forwarding CUST-A ip address 10.12.12.2 255.255.255.0 no shut ! Interface E0/2 vrf forwarding CUST-A ip address 10.20.20.2 255.255.255.0 no shut ----------------------------------------------------------------------------------- 2. Configure the Edge Routers in CUST-A (R3 & R4). Configure them with EIGRP 123 ----------------------------------------------------------------------------------- ----- R3 ----- Interface Loopback 0 ip address 10.1.1.1 255.255.255.0 ! Interface E0/0 ip address 10.10.10.3 255.255.255.0 no shut ! router eigrp 123 network 10.0.0.0 ----- R4 ----- Interface Loopback 0 ip address 10.2.2.2 255.255.255.0 ! Interface E0/0 ip address 10.20.20.4 255.255.255.0 no shut ! router eigrp 123 network 10.0.0.0 ----------------------------------------------------------------------------------- 3. Configure EIGRP within the VRF on R1 & R2 ----------------------------------------------------------------------------------- ----- R1 ----- router eigrp 1 address-family ipv4 vrf CUST-A autonomous-system 123 network 10.0.0.0 ----- R2 ----- router eigrp 1 address-family ipv4 vrf CUST-A autonomous-system 123 network 10.0.0.0 ======================================================== Lab 8 - Configure CUST-B Network using VRFs on R1 & R2 ======================================================== ------------------------------------------------------------------------------ 1. Create the VRFs on R1 & R2 for CUST-B and assign interfaces to the VRF. ------------------------------------------------------------------------------ ----- R1 ----- vrf definition CUST-B address-family ipv4 ! Interface E0/0 vrf forwarding CUST-B ip address 10.12.12.1 255.255.255.0 no shut ! Interface E0/3 vrf forwarding CUST-B ip address 10.10.10.1 255.255.255.0 no shut ----- R2 ----- vrf definition CUST-B address-family ipv4 ! Interface E0/0 vrf forwarding CUST-B ip address 10.12.12.2 255.255.255.0 no shut ! Interface E0/3 vrf forwarding CUST-B ip address 10.20.20.2 255.255.255.0 no shut ----------------------------------------------------------------------------------- 2. Configure the Edge Routers in CUST-B (R5 & R6). Configure them with OSPF. ----------------------------------------------------------------------------------- ----- R5 ----- Interface Loopback 0 ip address 10.1.1.1 255.255.255.0 ! Interface E0/0 ip address 10.10.10.5 255.255.255.0 no shut ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ----- R6 ----- Interface Loopback 0 ip address 10.2.2.2 255.255.255.0 ! Interface E0/0 ip address 10.20.20.6 255.255.255.0 no shut ! router ospf 1 network 10.0.0.0 0.255.255.255 area 0 ----------------------------------------------------------------------------------- 3. Configure OSPF within the VRF on R1 & R2 ----------------------------------------------------------------------------------- ----- R1 ----- router ospf 1 vrf CUST-B network 10.0.0.0 0.255.255.255 area 0 ----- R2 ----- router ospf 1 vrf CUST-B network 10.0.0.0 0.255.255.255 area 0 ================================================================================== Lab 9 - Configure a L2L VPN for CUST-A for 10.1.1.0/24 <-> 10.2.2.0/24 on R1 & R2 ================================================================================== ----- R1 ----- ! 1. Phase I crypto isakmp policy 10 auth pre-share hash md5 encryption 3des group 2 ! crypto keyring KR-A vrf CUST-A pre-shared-key address 10.12.12.2 key Cisco123 ! crypto isakmp profile IP-A vrf CUST-A match identity address 10.12.12.2 255.255.255.255 CUST-A keyring KR-A ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP isakmp-profile IP-A crypto map CMAP 10 ipsec-isakmp set peer 10.12.12.2 set transform-set ABC match address 101 ! 5. Apply Interface E0/1 crypto map CMAP ----- R2 ----- ! 1. Phase I crypto isakmp policy 10 auth pre-share hash md5 encryption 3des group 2 ! crypto keyring KR-A vrf CUST-A pre-shared-key address 10.12.12.1 key Cisco123 ! crypto isakmp profile IP-A vrf CUST-A match identity address 10.12.12.1 255.255.255.255 CUST-A keyring KR-A ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP isakmp-profile IP-A crypto map CMAP 10 ipsec-isakmp set peer 10.12.12.1 set transform-set ABC match address 101 ! 5. Apply Interface E0/1 crypto map CMAP ================================================================================== Lab 10 - Configure a L2L VPN for CUST-B for 10.1.1.0/24 <-> 10.2.2.0/24 on R1 & R2 ================================================================================== ----- R1 ----- ! 1. Phase I crypto keyring KR-B vrf CUST-B pre-shared-key address 10.12.12.2 key Cisco123 ! crypto isakmp profile IP-B vrf CUST-B match identity address 10.12.12.2 255.255.255.255 CUST-B keyring KR-B ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 102 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP-B isakmp-profile IP-B crypto map CMAP-B 10 ipsec-isakmp set peer 10.12.12.2 set transform-set ABC match address 102 ! 5. Apply Interface E0/0 crypto map CMAP-B ----- R2 ----- ! 1. Phase I crypto keyring KR-B vrf CUST-B pre-shared-key address 10.12.12.1 key Cisco123 ! crypto isakmp profile IP-B vrf CUST-B match identity address 10.12.12.1 255.255.255.255 CUST-B keyring KR-B ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 102 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP-B isakmp-profile IP-B crypto map CMAP-B 10 ipsec-isakmp set peer 10.12.12.1 set transform-set ABC match address 102 ! 5. Apply Interface E0/0 crypto map CMAP-B *************************** Certificates *************************** ================================================================================== Lab 11 - Router as a CA Server ================================================================================== ----- R1 ----- ! 1. Configure the proper Timezone and Time clock timezone GST 4 do clock set 23:00:00 16 Sep 2023 ! 2. Generate a RSA Key Pair to be used in your Root Certificate crypto key generate rsa label IOS-CA modulus 1024 ! 3. Configure the Router as a Web Server. ip http server ! 4. Configure the PKI Commands crypto pki server IOS-CA issuer-name CN=KBITS CA L=Dubai C=AE no shut ================================================================================== Lab 12 - Generate and Acquire Identity Certificates ================================================================================== ----- R2 ----- ! 1. Configure the proper Timezone and Time clock timezone GST 4 do clock set 23:00:00 16 Sep 2023 ! 2. Generate a RSA Key Pair to be used in your Identity Certificate ip domain-name kbits.live crypto key generate rsa modulus 1024 ! 3. Configure a pointer towards the CA Server crypto pki trustpoint ABC enrollment url http://192.1.10.1 revocation-check none ! 4. Trust the CA Server by downloading the Root Certificate and trusting it crypto pki authenticate ABC ! 5. Request an Identity Certificate from the CA Server crypto pki enroll ABC ----- R5 ----- ! 1. Configure the proper Timezone and Time clock timezone GST 4 do clock set 23:00:00 16 Sep 2023 ! 2. Generate a RSA Key Pair to be used in your Identity Certificate ip domain-name kbits.live crypto key generate rsa modulus 1024 ! 3. Configure a pointer towards the CA Server crypto pki trustpoint ABC enrollment url http://192.1.10.1 revocation-check none ! 4. Trust the CA Server by downloading the Root Certificate and trusting it crypto pki authenticate ABC ! 5. Request an Identity Certificate from the CA Server crypto pki enroll ABC ----- R1 ----- show crypto pki server IOS-CA requests crypto pki server IOS-CA grant all ================================================================================== Lab 13 - Configure a LAN-To-LAN IPSec VPN using certificates ================================================================================== ----- R2 ----- ! 1. Phase I crypto isakmp policy 10 auth rsa-sig hash md5 encryption 3des group 2 ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 101 permit ip 10.2.2.0 0.0.0.255 10.5.5.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP 10 ipsec-isakmp set peer 192.1.50.5 set transform-set ABC match address 101 ! 5. Apply Interface E0/0 crypto map CMAP ----- R5 ----- ! 1. Phase I crypto isakmp policy 10 auth rsa-sig hash md5 encryption 3des group 2 ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. ACL access-list 101 permit ip 10.5.5.0 0.0.0.255 10.2.2.0 0.0.0.255 ! 4. Crypto Map crypto map CMAP 10 ipsec-isakmp set peer 192.1.20.2 set transform-set ABC match address 101 ! 5. Apply Interface E0/0 crypto map CMAP ================================================================================== Lab 14 - Configure a DMVPN IPSec VPN using certificates ================================================================================== ----------------------------------- 1. Configure R1 as a CA Server ----------------------------------- ----- R1 ----- ! 1. Configure the proper Timezone and Time clock timezone GST 4 do clock set 23:00:00 16 Sep 2023 ! 2. Generate a RSA Key Pair to be used in your Root Certificate crypto key generate rsa label IOS-CA modulus 1024 ! 3. Configure the Router as a Web Server. ip http server ! 4. Configure the PKI Commands crypto pki server IOS-CA issuer-name CN=KBITS CA L=Dubai C=AE grant auto no shut ----------------------------------------------------- 2. Generate and Acquire Identity Certificates ----------------------------------------------------- ----- R1 ----- ! 1. Configure the proper Timezone and Time clock timezone GST 4 do clock set 23:02:00 16 Sep 2023 ! 2. Generate a RSA Key Pair to be used in your Identity Certificate ip domain-name kbits.live crypto key generate rsa modulus 1024 ! 3. Configure a pointer towards the CA Server crypto pki trustpoint ABC enrollment url http://192.1.10.1 revocation-check none ! 4. Trust the CA Server by downloading the Root Certificate and trusting it crypto pki authenticate ABC ! 5. Request an Identity Certificate from the CA Server crypto pki enroll ABC ----- R2 ----- ! 1. Configure the proper Timezone and Time clock timezone GST 4 do clock set 23:02:00 16 Sep 2023 ! 2. Generate a RSA Key Pair to be used in your Identity Certificate ip domain-name kbits.live crypto key generate rsa modulus 1024 ! 3. Configure a pointer towards the CA Server crypto pki trustpoint ABC enrollment url http://192.1.10.1 revocation-check none ! 4. Trust the CA Server by downloading the Root Certificate and trusting it crypto pki authenticate ABC ! 5. Request an Identity Certificate from the CA Server crypto pki enroll ABC ----- R3 ----- ! 1. Configure the proper Timezone and Time clock timezone GST 4 do clock set 23:02:00 16 Sep 2023 ! 2. Generate a RSA Key Pair to be used in your Identity Certificate ip domain-name kbits.live crypto key generate rsa modulus 1024 ! 3. Configure a pointer towards the CA Server crypto pki trustpoint ABC enrollment url http://192.1.10.1 revocation-check none ! 4. Trust the CA Server by downloading the Root Certificate and trusting it crypto pki authenticate ABC ! 5. Request an Identity Certificate from the CA Server crypto pki enroll ABC ----- R4 ----- ! 1. Configure the proper Timezone and Time clock timezone GST 4 do clock set 23:02:00 16 Sep 2023 ! 2. Generate a RSA Key Pair to be used in your Identity Certificate ip domain-name kbits.live crypto key generate rsa modulus 1024 ! 3. Configure a pointer towards the CA Server crypto pki trustpoint ABC enrollment url http://192.1.10.1 revocation-check none ! 4. Trust the CA Server by downloading the Root Certificate and trusting it crypto pki authenticate ABC ! 5. Request an Identity Certificate from the CA Server crypto pki enroll ABC ----- R5 ----- ! 1. Configure the proper Timezone and Time clock timezone GST 4 do clock set 23:02:00 16 Sep 2023 ! 2. Generate a RSA Key Pair to be used in your Identity Certificate ip domain-name kbits.live crypto key generate rsa modulus 1024 ! 3. Configure a pointer towards the CA Server crypto pki trustpoint ABC enrollment url http://192.1.10.1 revocation-check none ! 4. Trust the CA Server by downloading the Root Certificate and trusting it crypto pki authenticate ABC ! 5. Request an Identity Certificate from the CA Server crypto pki enroll ABC ----------------------------------------------------- 3. Configure DMVPN using IPSec with Certificates ----------------------------------------------------- ----- R1 ----- ! 1. Phase I crypto isakmp policy 10 auth rsa-sig hash md5 group 2 encryption 3des ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ! 3. IPSec Profile Crypto ipsec profile IPROF set transform-set ABC ! 4. Tunnel Interface Interface Tunnel 1 ip address 192.168.1.1 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map multicast dynamic no ip split-horizon eigrp 123 ip nhrp redirect tunnel protection ipsec profile IPROF ! 5. Routing Protocol router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R2 ----- ! 1. Phase I crypto isakmp policy 10 auth rsa-sig hash md5 group 2 encryption 3des ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ! 3. IPSec Profile Crypto ipsec profile IPROF set transform-set ABC ! 4. Tunnel Interface Interface Tunnel 1 ip address 192.168.1.2 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ip nhrp shortcut tunnel protection ipsec profile IPROF ! 5. Routing Protocol router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R3 ----- ! 1. Phase I crypto isakmp policy 10 auth rsa-sig hash md5 group 2 encryption 3des ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ! 3. IPSec Profile Crypto ipsec profile IPROF set transform-set ABC ! 4. Tunnel Interface Interface Tunnel 1 ip address 192.168.1.3 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ip nhrp shortcut tunnel protection ipsec profile IPROF ! 5. Routing Protocol router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R4 ----- ! 1. Phase I crypto isakmp policy 10 auth rsa-sig hash md5 group 2 encryption 3des ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ! 3. IPSec Profile Crypto ipsec profile IPROF set transform-set ABC ! 4. Tunnel Interface Interface Tunnel 1 ip address 192.168.1.4 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ip nhrp shortcut tunnel protection ipsec profile IPROF ! 5. Routing Protocol router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R5 ----- ! 1. Phase I crypto isakmp policy 10 auth rsa-sig hash md5 group 2 encryption 3des ! 2. Phase II crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ! 3. IPSec Profile Crypto ipsec profile IPROF set transform-set ABC ! 4. Tunnel Interface Interface Tunnel 1 ip address 192.168.1.5 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map multicast 192.1.10.1 ip nhrp shortcut tunnel protection ipsec profile IPROF ! 5. Routing Protocol router eigrp 123 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0