Hub#sh run
Building configuration...
Current configuration : 1881 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Hub
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2811/K9 sn FTX101740QY-
!
!
!
crypto isakmp policy 10
authentication pre-share
!
crypto isakmp key cisco address 192.168.1.10
!
!
!
crypto ipsec transform-set vpnset esp-des esp-sha-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 192.168.1.10
set transform-set vpnset
match address 100
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface Tunnel0
ip address 10.1.1.1 255.255.255.252
mtu 1476
tunnel source Ethernet1/0
tunnel destination 192.168.1.10
!
!
interface Tunnel1
ip address 10.1.1.5 255.255.255.252
mtu 1476
tunnel source Ethernet1/1
tunnel destination 192.168.1.10
!
!
interface FastEthernet0/0
ip address 172.16.1.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Ethernet1/0
ip address 192.168.1.2 255.255.255.252
duplex auto
speed auto
crypto map myvpn
!
interface Ethernet1/1
ip address 192.168.1.6 255.255.255.252
duplex auto
speed auto
crypto map myvpn
!
interface Ethernet1/2
no ip address
duplex auto
speed auto
shutdown
!
interface Ethernet1/3
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.8 255.255.255.252 Ethernet1/0
ip route 192.168.1.8 255.255.255.252 Ethernet1/1 200
ip route 172.16.2.0 255.255.255.0 10.1.1.2
ip route 172.16.2.0 255.255.255.0 10.1.1.6 200
!
ip flow-export version 9
!
!
access-list 100 permit ip host 192.168.1.10 host 192.168.1.2
access-list 100 permit ip host 192.168.1.10 host 192.168.1.6
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Hub#sh ip int brie
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.1.254 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Ethernet1/0 192.168.1.2 YES NVRAM up up
Ethernet1/1 192.168.1.6 YES NVRAM up up
Ethernet1/2 unassigned YES NVRAM administratively down down
Ethernet1/3 unassigned YES NVRAM administratively down down
Tunnel0 10.1.1.1 YES NVRAM up up
Tunnel1 10.1.1.5 YES NVRAM up up
Vlan1 unassigned YES NVRAM administratively down down
Hub#sh ip route connected
C 10.1.1.0/30 is directly connected, Tunnel0
C 10.1.1.4/30 is directly connected, Tunnel1
C 172.16.1.0/24 is directly connected, FastEthernet0/0
C 192.168.1.0/30 is directly connected, Ethernet1/0
C 192.168.1.4/30 is directly connected, Ethernet1/1
Hub#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.1.1.0/30 is directly connected, Tunnel0
L 10.1.1.1/32 is directly connected, Tunnel0
C 10.1.1.4/30 is directly connected, Tunnel1
L 10.1.1.5/32 is directly connected, Tunnel1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.1.0/24 is directly connected, FastEthernet0/0
L 172.16.1.254/32 is directly connected, FastEthernet0/0
S 172.16.2.0/24 [1/0] via 10.1.1.2
192.168.1.0/24 is variably subnetted, 5 subnets, 2 masks
C 192.168.1.0/30 is directly connected, Ethernet1/0
L 192.168.1.2/32 is directly connected, Ethernet1/0
C 192.168.1.4/30 is directly connected, Ethernet1/1
L 192.168.1.6/32 is directly connected, Ethernet1/1
S 192.168.1.8/30 is directly connected, Ethernet1/0
Hub#sh crypto map
Crypto Map myvpn 10 ipsec-isakmp
Peer = 192.168.1.10
Extended IP access list 100
access-list 100 permit ip host 192.168.1.10 host 192.168.1.2
access-list 100 permit ip host 192.168.1.10 host 192.168.1.6
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
Current peer: 192.168.1.10
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
vpnset,
}
Interfaces using crypto map myvpn:
Ethernet1/0
Ethernet1/1
Hub#
===============================================================
Spoke#sh run
Building configuration...
Current configuration : 2050 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Spoke
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2811/K9 sn FTX10175231-
!
!
!
crypto isakmp policy 10
authentication pre-share
!
crypto isakmp key cisco address 192.168.1.2
crypto isakmp key cisco address 192.168.1.6
!
!
!
crypto ipsec transform-set vpnset esp-des esp-sha-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 192.168.1.2
set peer 192.168.1.6
set transform-set vpnset
match address 100
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
mtu 1476
tunnel source Ethernet1/0
tunnel destination 192.168.1.2
!
!
interface Tunnel1
ip address 10.1.1.6 255.255.255.252
mtu 1476
tunnel source Ethernet1/0
tunnel destination 192.168.1.6
!
!
interface FastEthernet0/0
ip address 172.16.2.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Ethernet1/0
ip address 192.168.1.10 255.255.255.252
duplex auto
speed auto
crypto map myvpn
!
interface Ethernet1/1
no ip address
duplex auto
speed auto
shutdown
crypto map myvpn
!
interface Ethernet1/2
no ip address
duplex auto
speed auto
shutdown
!
interface Ethernet1/3
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 172.16.1.0 255.255.255.0 10.1.1.1
ip route 172.16.1.0 255.255.255.0 10.1.1.5 200
ip route 192.168.1.0 255.255.255.252 Ethernet1/0
ip route 192.168.1.4 255.255.255.252 Ethernet1/0
!
ip flow-export version 9
!
!
access-list 100 permit ip host 192.168.1.2 host 192.168.1.10
access-list 100 permit ip host 192.168.1.6 host 192.168.1.10
access-list 100 permit ip host 192.168.1.2 host 192.168.1.14
access-list 100 permit ip host 192.168.1.6 host 192.168.1.14
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
Spoke#sh ip int brie
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.2.254 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Ethernet1/0 192.168.1.10 YES NVRAM up up
Ethernet1/1 unassigned YES NVRAM administratively down down
Ethernet1/2 unassigned YES NVRAM administratively down down
Ethernet1/3 unassigned YES NVRAM administratively down down
Tunnel0 10.1.1.2 YES NVRAM up up
Tunnel1 10.1.1.6 YES NVRAM up up
Vlan1 unassigned YES NVRAM administratively down down
Spoke#sh ip route connected
C 10.1.1.0/30 is directly connected, Tunnel0
C 10.1.1.4/30 is directly connected, Tunnel1
C 172.16.2.0/24 is directly connected, FastEthernet0/0
C 192.168.1.8/30 is directly connected, Ethernet1/0
Spoke#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.1.1.0/30 is directly connected, Tunnel0
L 10.1.1.2/32 is directly connected, Tunnel0
C 10.1.1.4/30 is directly connected, Tunnel1
L 10.1.1.6/32 is directly connected, Tunnel1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.1.0/24 [1/0] via 10.1.1.1
C 172.16.2.0/24 is directly connected, FastEthernet0/0
L 172.16.2.254/32 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks
S 192.168.1.0/30 is directly connected, Ethernet1/0
S 192.168.1.4/30 is directly connected, Ethernet1/0
C 192.168.1.8/30 is directly connected, Ethernet1/0
L 192.168.1.10/32 is directly connected, Ethernet1/0
Spoke#sh cry map
Crypto Map myvpn 10 ipsec-isakmp
Peer = 192.168.1.2
Peer = 192.168.1.6
Extended IP access list 100
access-list 100 permit ip host 192.168.1.2 host 192.168.1.10
access-list 100 permit ip host 192.168.1.6 host 192.168.1.10
access-list 100 permit ip host 192.168.1.2 host 192.168.1.14
access-list 100 permit ip host 192.168.1.6 host 192.168.1.14
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
Current peer: 192.168.1.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
vpnset,
}
Interfaces using crypto map myvpn:
Ethernet1/0
Ethernet1/1
Spoke#
