set gre tun0 keepalive-intval 0
set gre tun0 keepalive-retries 5
set gre tun0 on
set nhrp interface tun0
set nhrp map 192.168.3.1/24 88.34.166.18
set nhrp cisco-auth novopasswd
set nhrp holding-time 300
set nhrp debug
set ipsec phase1 MAIN remote-end 88.34.166.18
set ipsec phase1 MAIN local-end atm0
set ipsec phase1 MAIN encryption-algorithm 3des
set ipsec phase1 MAIN hash-algorithm sha1
set ipsec phase1 MAIN dh-group 2
set ipsec phase1 MAIN authentication-method pre_shared_key
set ipsec phase1 MAIN exchange-mode main
set ipsec phase2 NHRP match-phase1 MAIN
set ipsec phase2 NHRP encryption-algotithm 3des
set ipsec phase2 NHRP authentication-algorithm hmac_sha1
set ipsec phase2 NHRP pfs-group 2
set ipsec phase2 NHRP protocol 47
set ipsec phase2 NHRP mode tunnel
set ipsec phase2 NHRP security esp
set ipsec phase2 NHRP level unique
set ipsec phase2 NHRP local-subnet 1.1.1.1/32
set ipsec phase2 NHRP remote-subnet 192.168.203.253/32
set ipsec pre-shared-key 88.34.166.18 tiesseadm
set ipsec on
The most important feature found in this example, is the restriction of the ACL IPSec only to the
GRE protocol (47), by using:
set ipsec phase2 NHRP protocol 47
With this configuration, the Multicast traffic is sent on the interface tunnel tun0. The NHRP protocol
avoids the static configuration of GRE tunnels on the concentrator and the access-list for IPSec
traffic, meaning that the GRE is adequately encrypted.
CONNECTIONS ANALYSIS AND TROUBLESHOOTING
To enable IPSec to log messages we can use the following command, very helpful to understand
what happens during the VPN activation:
set ipsec debug
The following example show how to activate and verify a simple VPN IPSec in main mode:
set loopback 0 ipaddr 1.1.1.1
set loopback on
To Next Page
Loading...
Need help?
General
