Differences

This shows you the differences between two versions of the page.

--- cisco:labs:ios-xe:lab17 [2025/10/04 12:05] – Name
+++ cisco:labs:ios-xe:lab17 [2025/10/04 21:19] (current) – [Answer Section] Name
@@ Line 13: / Line 13: @@
   - Configure crypto ipsec-isakmp map.
   - Configure the crypto map on the physical interface.
-  - Configure r1 in BGP AS 65000.
+  - Verify crypto ipsec sa (may need to ping neighbor first).
-  - Configure r4 in BGP AS 65001.
+  - Verify crypto IKEv2 sa.
-  - Configure r1 and r4 to form an eBGP neighborship.
+  - Verify crypto between r2 and r3 using Wirehsark (optional).
-  - Verify BGP neighborship is Established.
 {{:cisco:labs:ios-xe:lab_17_-_ebgp_with_ospf_underlay_and_ikev2_between_r2_and_r3.png?500|}}
@@ Line 111: / Line 110: @@
 ===Task 9===
 r2
-<code></code>
+<code>r2#show crypto ipsec sa
+interface: GigabitEthernet2
+    Crypto map tag: svpn-map, local addr 23.1.1.2
+   protected vrf: (none)
+   local  ident (addr/mask/prot/port): (23.1.1.2/255.255.255.255/0/0)
+   remote ident (addr/mask/prot/port): (23.1.1.3/255.255.255.255/0/0)
+   current_peer 23.1.1.3 port 500
+     PERMIT, flags={origin_is_acl,}
+    #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
+    #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
+    #pkts compressed: 0, #pkts decompressed: 0
+    #pkts not compressed: 0, #pkts compr. failed: 0
+    #pkts not decompressed: 0, #pkts decompress failed: 0
+    #send errors 0, #recv errors 0
+     local crypto endpt.: 23.1.1.2, remote crypto endpt.: 23.1.1.3
+     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
+     current outbound spi: 0xF48D2703(4102891267)
+     PFS (Y/N): N, DH group: none
+     inbound esp sas:
+      spi: 0xCDBEBD9A(3451829658)
+        transform: esp-aes esp-sha512-hmac ,
+        in use settings ={Tunnel, }
+        conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
+         sa timing: remaining key lifetime (k/sec): (4607999/3594)
+        IV size: 16 bytes
+        replay detection support: Y
+        Status: ACTIVE(ACTIVE)
+     inbound ah sas:
+     inbound pcp sas:
+     outbound esp sas:
+      spi: 0xF48D2703(4102891267)
+        transform: esp-aes esp-sha512-hmac ,
+        in use settings ={Tunnel, }
+        conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
+         sa timing: remaining key lifetime (k/sec): (4607999/3594)
+        IV size: 16 bytes
+        replay detection support: Y
+        Status: ACTIVE(ACTIVE)
+     outbound ah sas:
+     outbound pcp sas:</code>
 r3
-<code></code>
+<code>r3#show crypto ipsec sa
+interface: GigabitEthernet2
+    Crypto map tag: svpn-map, local addr 23.1.1.3
+   protected vrf: (none)
+   local  ident (addr/mask/prot/port): (23.1.1.3/255.255.255.255/0/0)
+   remote ident (addr/mask/prot/port): (23.1.1.2/255.255.255.255/0/0)
+   current_peer 23.1.1.2 port 500
+     PERMIT, flags={origin_is_acl,}
+    #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
+    #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
+    #pkts compressed: 0, #pkts decompressed: 0
+    #pkts not compressed: 0, #pkts compr. failed: 0
+    #pkts not decompressed: 0, #pkts decompress failed: 0
+    #send errors 0, #recv errors 0
+     local crypto endpt.: 23.1.1.3, remote crypto endpt.: 23.1.1.2
+     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
+     current outbound spi: 0xCDBEBD9A(3451829658)
+     PFS (Y/N): N, DH group: none
+     inbound esp sas:
+      spi: 0xF48D2703(4102891267)
+        transform: esp-aes esp-sha512-hmac ,
+        in use settings ={Tunnel, }
+        conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
+         sa timing: remaining key lifetime (k/sec): (4607999/3508)
+        IV size: 16 bytes
+        replay detection support: Y
+        Status: ACTIVE(ACTIVE)
+     inbound ah sas:
+     inbound pcp sas:
+     outbound esp sas:
+      spi: 0xCDBEBD9A(3451829658)
+        transform: esp-aes esp-sha512-hmac ,
+        in use settings ={Tunnel, }
+        conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
+         sa timing: remaining key lifetime (k/sec): (4607999/3508)
+        IV size: 16 bytes
+        replay detection support: Y
+        Status: ACTIVE(ACTIVE)
+     outbound ah sas:
+     outbound pcp sas:</code>
+* Notice the inbound and outbound esp sas are populated.
 ----
 ===Task 10===
 r2
-<code></code>
+<code>r2#show crypto ikev2 sa
+ IPv4 Crypto IKEv2  SA
+Tunnel-id Local                 Remote                fvrf/ivrf            Status
+         23.1.1.2/500          23.1.1.3/500          none/none            READY
+      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
+      Life/Active Time: 86400/411 sec</code>
 r3
-<code></code>
+<code>r3#show crypto ikev2 sa
+ IPv4 Crypto IKEv2  SA
+Tunnel-id Local                 Remote                fvrf/ivrf            Status
+         23.1.1.3/500          23.1.1.2/500          none/none            READY
+      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
+      Life/Active Time: 86400/449 sec</code>
 ----
 ===Task 11===
-r2
+{{:cisco:labs:ios-xe:lab_17_-_ss1.png?500|}}
-<code></code>
+  * In a later lab, all transit traffic will be encrypted through a tunnel interface.
-r3
-<code></code>
 ----
 =====Backlinks=====
 [[:cisco|Cisco]]\\

Tim's Technology Gauntlet Wiki

User Tools

Site Tools

Differences

Page Tools