Friday, June 24, 2016

Overlay VPN task #8. LISP part 1.

Topology:



Configure loopback0 interfaces and links between routers for initial configuration.
All routers are IOS.
Use the following networks for links between routers in different autonomous systems:

R1-R5: 35.0.15/24
R1-R8: 38.0.18/24
R3-R6: 36.0.36/24
R3-R9: 39.0.39/24
R5-R6: 35.0.56/24
R5-R8: 35.0.58/24
R6-R8: 36.0.68/24
R6-R9: 36.0.69/24
R8-R9: 38.0.89/24

AS35, AS36, AS38 and AS 39 are 4 interconnected ISPs.
Site A and Site B are two customer sites which use private IP address scheme internally.
R2 and R4 represent internal hosts inside customer sites.
Routers R7 and R10 are customer owned routers collocated at ISPs AS35 and AS39.

Requirements: 

1. Configure each ISP (AS35, AS36, AS38 and AS39) to advertise its IPv4 prefix to neighbors via eBGP.
2. Configure links between Site A and Site B to upstream ISPs. DO NOT run eBGP between customer and ISP routers. 
3. Configure the network to allow connectivity between Site A and Site B internal private networks (R2 to R4). Only apply configuration on customer owned devices to complete this requirement. 
4. Traffic between site A and Site B shall be balanced between the two upstream links. 
5. The configuration shall allow the customer site to change it's upstream provider, without requiring configuration changes to other customer sites.
6. Do not use NAT to complete this task. 
    

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of LISP, and configuration of LISP on IOS platform. 
This is example of basic LISP configuration with single xTR per site and two MR/MS elements. 

Requirement #5 implies the use of LISP, since using any type of direct tunnels between sites, requires configuring the tunnel destination address at the tunnel headend. LISP solves this "issue" by using MR/MS element to store and resolve the EID to RLOC addresses mappings. 


Use routers R1 and R3 as xTR devices, and  R7 and R10 as MR/MS devices to solve this task.

R1:


!
interface Ethernet0/0
 ip address 35.0.15.1 255.255.255.0
!
interface Ethernet0/1
 ip address 38.0.18.1 255.255.255.0
!
interface Ethernet0/2
 ip address 10.1.12.1 255.255.255.0
!
!
router lisp
 database-mapping 10.1.0.0/16 35.0.15.1 priority 100 weight 50
 database-mapping 10.1.0.0/16 38.0.18.1 priority 100 weight 50
 ipv4 itr map-resolver 35.0.57.7
 ipv4 itr map-resolver 39.0.109.10
 ipv4 itr
 ipv4 etr map-server 35.0.57.7 key STRONG
 ipv4 etr map-server 39.0.109.10 key STRONG
 ipv4 etr
 exit
!
ip route 0.0.0.0 0.0.0.0 35.0.15.5
ip route 0.0.0.0 0.0.0.0 38.0.18.8

R2:


!
interface Ethernet0/0
 ip address 10.1.12.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.12.1

R3:


!
interface Ethernet0/0
 ip address 36.0.36.3 255.255.255.0
!
interface Ethernet0/1
 ip address 39.0.39.3 255.255.255.0
!
interface Ethernet0/2
 ip address 10.3.34.3 255.255.255.0
!
!
router lisp
 database-mapping 10.3.0.0/16 36.0.36.3 priority 100 weight 50
 database-mapping 10.3.0.0/16 39.0.39.3 priority 100 weight 50
 ipv4 itr map-resolver 35.0.57.7
 ipv4 itr map-resolver 39.0.109.10
 ipv4 itr
 ipv4 etr map-server 35.0.57.7 key STRONG
 ipv4 etr map-server 39.0.109.10 key STRONG
 ipv4 etr
 exit
!
ip route 0.0.0.0 0.0.0.0 36.0.36.6
ip route 0.0.0.0 0.0.0.0 39.0.39.9
!

R4:



!
interface Ethernet0/0
 ip address 10.3.34.4 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.3.34.3


R5:


!
interface Loopback0
 ip address 35.0.5.5 255.255.255.255
!
interface Ethernet0/0
 ip address 35.0.56.5 255.255.255.0
!
interface Ethernet0/1
 ip address 35.0.57.5 255.255.255.0
!
!
interface Ethernet1/0
 ip address 35.0.15.5 255.255.255.0
!
interface Ethernet1/1
 ip address 35.0.58.5 255.255.255.0
!
!
router bgp 35
 bgp log-neighbor-changes
 network 35.0.0.0 mask 255.255.0.0
 neighbor 35.0.56.6 remote-as 36
 neighbor 35.0.58.8 remote-as 38
!
ip route 35.0.0.0 255.255.0.0 Null0

R6:


!
interface Loopback0
 ip address 36.0.6.6 255.255.255.255
!
interface Ethernet0/0
 ip address 35.0.56.6 255.255.255.0
!
!
interface Ethernet1/0
 ip address 36.0.36.6 255.255.255.0
!
interface Ethernet1/1
 ip address 36.0.69.6 255.255.255.0
!
interface Ethernet1/2
 ip address 36.0.68.6 255.255.255.0
!
!
router bgp 36
 bgp log-neighbor-changes
 network 36.0.0.0 mask 255.255.0.0
 neighbor 35.0.56.5 remote-as 35
 neighbor 36.0.68.8 remote-as 38
 neighbor 36.0.69.9 remote-as 39
!
ip route 36.0.0.0 255.255.0.0 Null0

R7:


!
vrf definition MRMS
 !
 address-family ipv4
 exit-address-family
!
!
interface Ethernet0/0
 ip address 35.0.57.7 255.255.255.0
!
!
router lisp
 site S1
  authentication-key STRONG
  eid-prefix 10.1.0.0/16
  exit
 !
 site S3
  authentication-key STRONG
  eid-prefix 10.3.0.0/16
  exit
 !
 ipv4 map-server
 ipv4 map-resolver
 ipv4 alt-vrf MRMS
 exit
!
ip route 0.0.0.0 0.0.0.0 35.0.57.5

R8:


!
interface Loopback0
 ip address 38.0.8.8 255.255.255.255
!
interface Ethernet0/0
 ip address 38.0.89.8 255.255.255.0
!
!
interface Ethernet1/0
 ip address 38.0.18.8 255.255.255.0
!
interface Ethernet1/1
 ip address 35.0.58.8 255.255.255.0
!
interface Ethernet1/2
 ip address 36.0.68.8 255.255.255.0
!
!
router bgp 38
 bgp log-neighbor-changes
 network 38.0.0.0 mask 255.255.0.0
 neighbor 35.0.58.5 remote-as 35
 neighbor 36.0.68.6 remote-as 36
 neighbor 38.0.89.9 remote-as 39
!
ip route 38.0.0.0 255.255.0.0 Null0


R9:


!
interface Loopback0
 ip address 39.0.9.9 255.255.255.255
!
interface Ethernet0/0
 ip address 38.0.89.9 255.255.255.0
!
interface Ethernet0/1
 ip address 39.0.109.9 255.255.255.0
!
!
interface Ethernet1/0
 ip address 39.0.39.9 255.255.255.0
!
interface Ethernet1/1
 ip address 36.0.69.9 255.255.255.0
!
!
router bgp 39
 bgp log-neighbor-changes
 network 39.0.0.0 mask 255.255.0.0
 neighbor 36.0.69.6 remote-as 36
 neighbor 38.0.89.8 remote-as 38
!
ip route 39.0.0.0 255.255.0.0 Null0


R10:


!
vrf definition MRMS
 !
 address-family ipv4
 exit-address-family
!
!
!
interface Ethernet0/0
 ip address 39.0.109.10 255.255.255.0
!
!
router lisp
 site S1
  authentication-key STRONG
  eid-prefix 10.1.0.0/16
  exit
 !
 site S3
  authentication-key STRONG
  eid-prefix 10.3.0.0/16
  exit
 !
 ipv4 map-server
 ipv4 map-resolver
 ipv4 alt-vrf MRMS
 exit
!
ip route 0.0.0.0 0.0.0.0 39.0.109.9

Verification:


R2#traceroute 10.3.34.4
Type escape sequence to abort.
Tracing the route to 10.3.34.4
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.12.1 5 msec 5 msec 5 msec
  2 35.0.15.5 5 msec 6 msec 5 msec
  3 35.0.56.6 6 msec 6 msec 6 msec
  4 36.0.36.3 6 msec 1 msec 6 msec
  5 10.3.34.4 5 msec 5 msec 6 msec

R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 38.0.18.8 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 38.0.18.8
                [1/0] via 35.0.15.5
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.12.0/24 is directly connected, Ethernet0/2
L        10.1.12.1/32 is directly connected, Ethernet0/2
      35.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        35.0.15.0/24 is directly connected, Ethernet0/0
L        35.0.15.1/32 is directly connected, Ethernet0/0
      38.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        38.0.18.0/24 is directly connected, Ethernet0/1
L        38.0.18.1/32 is directly connected, Ethernet0/1

R5#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      35.0.0.0/8 is variably subnetted, 10 subnets, 3 masks
S        35.0.0.0/16 is directly connected, Null0
C        35.0.5.5/32 is directly connected, Loopback0
C        35.0.15.0/24 is directly connected, Ethernet1/0
L        35.0.15.5/32 is directly connected, Ethernet1/0
C        35.0.56.0/24 is directly connected, Ethernet0/0
L        35.0.56.5/32 is directly connected, Ethernet0/0
C        35.0.57.0/24 is directly connected, Ethernet0/1
L        35.0.57.5/32 is directly connected, Ethernet0/1
C        35.0.58.0/24 is directly connected, Ethernet1/1
L        35.0.58.5/32 is directly connected, Ethernet1/1
      36.0.0.0/16 is subnetted, 1 subnets
B        36.0.0.0 [20/0] via 35.0.56.6, 19:53:05
      38.0.0.0/16 is subnetted, 1 subnets
B        38.0.0.0 [20/0] via 35.0.58.8, 19:48:39
      39.0.0.0/16 is subnetted, 1 subnets
B        39.0.0.0 [20/0] via 35.0.58.8, 19:44:21


R8#       sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      35.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
B        35.0.0.0/16 [20/0] via 35.0.58.5, 19:48:59
C        35.0.58.0/24 is directly connected, Ethernet1/1
L        35.0.58.8/32 is directly connected, Ethernet1/1
      36.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
B        36.0.0.0/16 [20/0] via 36.0.68.6, 19:48:51
C        36.0.68.0/24 is directly connected, Ethernet1/2
L        36.0.68.8/32 is directly connected, Ethernet1/2
      38.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
S        38.0.0.0/16 is directly connected, Null0
C        38.0.8.8/32 is directly connected, Loopback0
C        38.0.18.0/24 is directly connected, Ethernet1/0
L        38.0.18.8/32 is directly connected, Ethernet1/0
C        38.0.89.0/24 is directly connected, Ethernet0/0
L        38.0.89.8/32 is directly connected, Ethernet0/0
      39.0.0.0/16 is subnetted, 1 subnets
B        39.0.0.0 [20/0] via 38.0.89.9, 19:44:41


R7#show lisp site detail
LISP Site Registration Information

Site name: S1
Allowed configured locators: any
Allowed EID-prefixes:
  EID-prefix: 10.1.0.0/16
    First registered:     19:27:42
    Routing table tag:    0
    Origin:               Configuration
    Merge active:         No
    Proxy reply:          No
    TTL:                  1d00h
    State:                complete
    Registration errors:
      Authentication failures:   0
      Allowed locators mismatch: 0
    ETR 38.0.18.1, last registered 00:00:34, no proxy-reply, no map-notify
                   TTL 1d00h, no merge, nonce 0xED309F90-0x2290B66F
                   state complete
      Locator    Local  State      Pri/Wgt
      35.0.15.1  yes    up         100/50
      38.0.18.1  yes    up         100/50
Site name: S3
Allowed configured locators: any
Allowed EID-prefixes:
  EID-prefix: 10.3.0.0/16
    First registered:     19:27:42
    Routing table tag:    0
    Origin:               Configuration
    Merge active:         No
    Proxy reply:          No
    TTL:                  1d00h
    State:                complete
    Registration errors:
      Authentication failures:   0
      Allowed locators mismatch: 0
    ETR 39.0.39.3, last registered 00:00:51, no proxy-reply, no map-notify
                   TTL 1d00h, no merge, nonce 0x259CB080-0x6FBCADEA
                   state complete
      Locator    Local  State      Pri/Wgt
      36.0.36.3  yes    up         100/50
      39.0.39.3  yes    up         100/50

R10#show lisp site detail
LISP Site Registration Information

Site name: S1
Allowed configured locators: any
Allowed EID-prefixes:
  EID-prefix: 10.1.0.0/16
    First registered:     02:19:06
    Routing table tag:    0
    Origin:               Configuration
    Merge active:         No
    Proxy reply:          No
    TTL:                  1d00h
    State:                complete
    Registration errors:
      Authentication failures:   0
      Allowed locators mismatch: 0
    ETR 38.0.18.1, last registered 00:00:09, no proxy-reply, no map-notify
                   TTL 1d00h, no merge, nonce 0xED309F90-0x2290B66F
                   state complete
      Locator    Local  State      Pri/Wgt
      35.0.15.1  yes    up         100/50
      38.0.18.1  yes    up         100/50
Site name: S3
Allowed configured locators: any
Allowed EID-prefixes:
  EID-prefix: 10.3.0.0/16
    First registered:     02:20:25
    Routing table tag:    0
    Origin:               Configuration
    Merge active:         No
    Proxy reply:          No
    TTL:                  1d00h
    State:                complete
    Registration errors:
      Authentication failures:   0
      Allowed locators mismatch: 0
    ETR 39.0.39.3, last registered 00:00:17, no proxy-reply, no map-notify
                   TTL 1d00h, no merge, nonce 0x259CB080-0x6FBCADEA
                   state complete
      Locator    Local  State      Pri/Wgt
      36.0.36.3  yes    up         100/50
      39.0.39.3  yes    up         100/50

Saturday, June 18, 2016

Overlay VPN task #7. GRE based VPN part 3.

Topology:



Use configuration from Overlay VPN  task #6 as initial configuration for this task.

Requirements: 

Change the configuration produced in the previous task to comply with the new requirements. 
The goal is to increase the scalability of the previous solution, to allow support for large number of spoke sites. 

1. Replace the OSPF based routing with BGP routing. Use AS6500X for each site, when X is the router number. 
2. Each branch router  shall advertise its 10.X/16 network to  HQ router. 
3. HQ router shall only advertise network 10/8 to branch routers. 
4. Branch to branch traffic shall be allowed to follow direct path, and not via HQ router. 
5. Ensure confidentiality and integrity of customers traffic traversing the AS30 and AS31. 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of DMVPN phase III, and understanding of using IPsec to protect DMVPN traffic. It also requires an understanding of basic BGP configuration and aggregation.

Requirements #1 - 3 - remove OSPF configuration and configure BGP on each router. On R6, use aggregate-address + summary-only to advertise the aggregate and suppress the individual prefixes of 10/8 network.
Requirement #4 - direct branch to branch router traffic requires DMVPN phase III configuration. Another DMVPN option that supports suppressing routing information at the spokes is DMVPN phase I.
Requirement #5 - Providing both data confidentiality and integrity requires using IPsec with ESP headers (note that AH headers will only provide integrity, but not confidentiality).Configure ISAKMP policy, transform-set and profile. Apply profile on the tunnel interface using tunnel protection command.


R6:


!
crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
 set transform-set TS
!
!
interface Tunnel1
 ip address 10.0.0.6 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel protection ipsec profile PROTECT
!
!
router bgp 65006
 bgp log-neighbor-changes
 network 10.6.0.0 mask 255.255.0.0
 aggregate-address 10.0.0.0 255.0.0.0 summary-only
 neighbor 10.0.0.7 remote-as 65007
 neighbor 10.0.0.8 remote-as 65008
!
ip route 10.6.0.0 255.255.0.0 Null0


R7:


!
crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
 set transform-set TS
!
!
interface Tunnel1
 ip address 10.0.0.7 255.255.255.0
 no ip redirects
 ip nhrp map 10.0.0.6 30.0.16.6
 ip nhrp map multicast 30.0.16.6
 ip nhrp network-id 100
 ip nhrp nhs 10.0.0.6
 ip nhrp shortcut
 ip nhrp redirect
 ip ospf network point-to-multipoint
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel protection ipsec profile PROTECT
!
!
router bgp 65007
 bgp log-neighbor-changes
 network 10.7.0.0 mask 255.255.0.0
 neighbor 10.0.0.6 remote-as 65006
!
ip route 10.7.0.0 255.255.0.0 Null0


R8:


!
crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 14
crypto isakmp key SECRET address 0.0.0.0
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
 set transform-set TS
!
!
interface Tunnel1
 ip address 10.0.0.8 255.255.255.0
 no ip redirects
 ip nhrp map 10.0.0.6 30.0.16.6
 ip nhrp map multicast 30.0.16.6
 ip nhrp network-id 100
 ip nhrp nhs 10.0.0.6
 ip nhrp shortcut
 ip ospf network point-to-multipoint
 tunnel source Ethernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel protection ipsec profile PROTECT
!
!
router bgp 65008
 bgp log-neighbor-changes
 network 10.8.0.0 mask 255.255.0.0
 neighbor 10.0.0.6 remote-as 65006
!
ip route 10.8.0.0 255.255.0.0 Null0

Verification:



R7#        sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 31.0.57.5 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 31.0.57.5
      10.0.0.0/8 is variably subnetted, 9 subnets, 4 masks
B        10.0.0.0/8 [20/0] via 10.0.0.6, 00:46:49
C        10.0.0.0/24 is directly connected, Tunnel1
L        10.0.0.7/32 is directly connected, Tunnel1
S        10.7.0.0/16 is directly connected, Null0
C        10.7.1.0/24 is directly connected, Ethernet0/1
L        10.7.1.1/32 is directly connected, Ethernet0/1
C        10.7.7.7/32 is directly connected, Loopback0
H        10.8.1.0/24 [250/1] via 10.0.0.8, 00:46:32, Tunnel1
H        10.8.8.8/32 [250/1] via 10.0.0.8, 00:40:52, Tunnel1
      31.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        31.0.57.0/24 is directly connected, Ethernet0/0
L        31.0.57.7/32 is directly connected, Ethernet0/0

R7#  traceroute 10.8.1.1
Type escape sequence to abort.
Tracing the route to 10.8.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.0.8 [AS 65006] 6 msec 6 msec 5 msec

R6#              sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 30.0.16.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 30.0.16.1
      10.0.0.0/8 is variably subnetted, 9 subnets, 4 masks
B        10.0.0.0/8 [200/0] via 0.0.0.0, 00:50:15, Null0
C        10.0.0.0/24 is directly connected, Tunnel1
L        10.0.0.6/32 is directly connected, Tunnel1
S        10.6.0.0/16 is directly connected, Null0
C        10.6.1.0/24 is directly connected, Ethernet0/1
L        10.6.1.1/32 is directly connected, Ethernet0/1
C        10.6.6.6/32 is directly connected, Loopback0
B        10.7.0.0/16 [20/0] via 10.0.0.7, 00:47:19
B        10.8.0.0/16 [20/0] via 10.0.0.8, 00:47:19
      30.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        30.0.16.0/24 is directly connected, Ethernet0/0
L        30.0.16.6/32 is directly connected, Ethernet0/0

R6# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
30.0.16.6       30.0.38.8       QM_IDLE           1001 ACTIVE
30.0.16.6       31.0.57.7       QM_IDLE           1002 ACTIVE

R6#show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 30.0.16.6

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (30.0.16.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (31.0.57.7/255.255.255.255/47/0)
   current_peer 31.0.57.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50
    #pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 30.0.16.6, remote crypto endpt.: 31.0.57.7
     path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0x66AFBB2D(1722792749)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4371DE8C(1131536012)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4215914/2423)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x66AFBB2D(1722792749)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4215914/2423)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (30.0.16.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (30.0.38.8/255.255.255.255/47/0)
   current_peer 30.0.38.8 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51
    #pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 30.0.16.6, remote crypto endpt.: 30.0.38.8
     path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0x36039CEC(906206444)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xFEE943A(267293754)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4249146/2413)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x36039CEC(906206444)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4249146/2413)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:



R7#show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 31.0.57.7

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (31.0.57.7/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (30.0.38.8/255.255.255.255/47/0)
   current_peer 30.0.38.8 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 31.0.57.7, remote crypto endpt.: 30.0.38.8
     path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0x9A5210E0(2589069536)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x400F81E6(1074758118)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4371174/2369)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9A5210E0(2589069536)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4371174/2369)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (31.0.57.7/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (30.0.16.6/255.255.255.255/47/0)
   current_peer 30.0.16.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 52, #pkts encrypt: 52, #pkts digest: 52
    #pkts decaps: 52, #pkts decrypt: 52, #pkts verify: 52
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 31.0.57.7, remote crypto endpt.: 30.0.16.6
     path mtu 1500, ip mtu 1500, ip mtu idb (none)
     current outbound spi: 0x4371DE8C(1131536012)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x66AFBB2D(1722792749)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4217048/2369)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4371DE8C(1131536012)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4217048/2369)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas: