Pages

Saturday, January 30, 2016

IKEv2 Pushing Policy


Adding AAA Authorization and pushing configuration

! FlexVPN Server R1

show crypto engine connections active
show crypto ikev2 sa
show ip route ospf

conf t
ip local pool FlexPool 172.16.0.100 172.16.0.200
aaa new-model
aaa authorization network Author-List local

do show crypto ikev2 authorization policy
crypto ikev2 authorization policy default
pool FlexPool
exit

crypto ikev2 profile IKEv2-Profile
aaa author group cert list Author-List default
end

! Spokes R2-R4

conf t
int tun 0
ip address negotiated
end

clear crypto session

show ip int brief

show ip route ospf

Working after mode config
Full configs R1 - R4:

R1#show run
Building configuration...

Current configuration : 5646 bytes
!
! Last configuration change at 16:02:14 PST Tue Jul 1 2014
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker

aaa new-model

aaa authorization network Author-List local

aaa session-id common
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180

ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated

crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 serial-number none
 fqdn r1.cbtnuggets.com
 ip-address 15.0.0.1
 subject-name CN=r1,O=cbtnuggets.com
 revocation-check none
 rsakeypair r1.cbtnuggets.com

crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 04
  3082024A 308201B3 A0030201 02020104 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31323030 3831365A 170D3135 30373031
  32303038 31365A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723131 37301506 092A8648 86F70D01 09081308
  31352E30 2E302E31 301E0609 2A864886 F70D0109 02161172 312E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00C19869 47EB6BE5 1F76EE98 FE005644 2E7356F0 4A6A083D 8DA45C68
  860D9905 B0FF882D B6B96641 69B9A601 F6ED9E19 24BFB905 890D0FD7 BEE3C60A
  0385919D 8C733D16 E830B860 23C43C07 DCCB01BD 34BF6FFC F27F8BA9 28E5ACC7
  7D82F9EC 5F9A3BF7 811FC0B1 301DEFE2 3E06ADCA 0144136E B905D904 91243809
  FAC2F8FE BD020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 E8EAF4BA 661E67B3 16A425E2 43FA702E C5798AB4 301D0603
  551D0E04 1604148A C8C4EA5A 6D91FE86 ED951D39 FC63AB62 E90D1F30 0D06092A
  864886F7 0D010105 05000381 8100711E B9B3EE1B 6020702B 80E80704 1B42BC99
  03C70C01 430EB95A E5A406F0 2B101B19 86158E53 ABAB8C81 5936A62C 34C66AA0
  FBA41EDD C08DBECF 3E3E2138 8B5963FE C45816E6 381958BF 67B8A012 EC1AE394
  84D0617E 4D2DE05B 669A1291 1DA08FF0 1257E42B 1BA73788 EF7B24CB 7798D54A
  E703F45B 3C03ED4C 2BD75F85 D28C
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31313833 3732345A 170D3137 30363330
  31383337 32345A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 A198DCFC FA4458DA FED402A2 735A6A47 678FDD5F
  946E78BC C5C23824 1C4CC015 CD2B1909 13C5AD37 A65CE556 D4F6A079 15858690
  2E2AE2DF 3DC0F8C7 9010E5C4 8988FF0B 90CD0455 EEC940B1 6A701018 37571EDB
  F84846A3 3C2DD003 99F6EFA2 796D8974 042AC364 D728AEC8 DA6EEB34 E98DD2E7
  8F2B4DE0 ED945888 1C905DE5 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014E8 EAF4BA66 1E67B316 A425E243 FA702EC5 798AB430 1D060355 1D0E0416
  0414E8EA F4BA661E 67B316A4 25E243FA 702EC579 8AB4300D 06092A86 4886F70D
  01010405 00038181 0060D501 BDF814CE 00DB7902 CE3BEF28 068A065B CD6715E0
  BB34AB1A DD38416A FCC4BA5C CE9DBAEC 31CA42D5 90255556 50EDD297 4264A28D
  C86C8789 CC87DA31 642752D5 1D4BE83D D91631E8 3D35D265 A4A074F2 7A889FD2
  37305219 2C962F4E 817A7CE2 FAE485A2 BED6E3F8 435C9451 CF2A665B D5DA4FFA
  61EF9AEF 14A45E6A 4B
        quit
!
redundancy

csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
crypto ikev2 authorization policy default
 pool FlexPool
 route set interface
!
crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14

crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
 aaa authorization group cert list Author-List default
 virtual-template 1
!
crypto isakmp diagnose error

crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile

interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 15.0.0.1 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile default
!
router ospf 1
!
ip local pool FlexPool 172.16.0.100 172.16.0.200
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 15.0.0.5
!
no cdp advertise-v2

control-plane

alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 transport input all
!
ntp server 5.5.5.5
!
end


R2# show run
Building configuration...

Current configuration : 5374 bytes
!
! Last configuration change at 16:03:16 PST Tue Jul 1 2014
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180

ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated

crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 serial-number none
 fqdn r2.cbtnuggets.com
 ip-address 25.0.0.2
 subject-name CN=r2,O=cbtnuggets.com
 revocation-check none
 rsakeypair r2.cbtnuggets.com

crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 05
  3082024A 308201B3 A0030201 02020105 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31323031 3033395A 170D3135 30373031
  32303130 33395A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723231 37301506 092A8648 86F70D01 09081308
  32352E30 2E302E32 301E0609 2A864886 F70D0109 02161172 322E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00958128 72E94635 39249318 793E25AC E6062475 665090ED B3E40332
  23103752 AA80E558 88FE1B90 6D0A55CB 15529219 17CF9A3B 56C24BF6 C16F3221
  CB70634A 566D821A ACEAE2C4 F2E8F67D 78D59990 109DE621 D4A143EA C8325A8A
  73619F29 EA777FE5 E9A058B7 87E35769 F6856F02 D0F4E8D9 6CF3D35D 331DA62E
  4219C27B 55020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 E8EAF4BA 661E67B3 16A425E2 43FA702E C5798AB4 301D0603
  551D0E04 16041416 501C1D6B B2D383A3 3DE6EDAF 37A9DE90 B3026530 0D06092A
  864886F7 0D010105 05000381 81003DCA 088EE816 DADEB245 A352C090 8395401C
  1BA6F26B 935C9DC7 86DE1FA7 61D5B31F CF424EC7 8779550F 3F32E3DF E5CFA6BC
  CBC441F3 BC0571DC F2749731 0B9848E9 62201362 07B62352 49607F3C 35F2E699
  6A16D7EC ACECB68F 47D08011 E41D892D 1300D866 71D46CA8 7B88B15B 13608858
  0300EDBE BBCC1843 22B6A956 1F72
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31313833 3732345A 170D3137 30363330
  31383337 32345A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 A198DCFC FA4458DA FED402A2 735A6A47 678FDD5F
  946E78BC C5C23824 1C4CC015 CD2B1909 13C5AD37 A65CE556 D4F6A079 15858690
  2E2AE2DF 3DC0F8C7 9010E5C4 8988FF0B 90CD0455 EEC940B1 6A701018 37571EDB
  F84846A3 3C2DD003 99F6EFA2 796D8974 042AC364 D728AEC8 DA6EEB34 E98DD2E7
  8F2B4DE0 ED945888 1C905DE5 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014E8 EAF4BA66 1E67B316 A425E243 FA702EC5 798AB430 1D060355 1D0E0416
  0414E8EA F4BA661E 67B316A4 25E243FA 702EC579 8AB4300D 06092A86 4886F70D
  01010405 00038181 0060D501 BDF814CE 00DB7902 CE3BEF28 068A065B CD6715E0
  BB34AB1A DD38416A FCC4BA5C CE9DBAEC 31CA42D5 90255556 50EDD297 4264A28D
  C86C8789 CC87DA31 642752D5 1D4BE83D D91631E8 3D35D265 A4A074F2 7A889FD2
  37305219 2C962F4E 817A7CE2 FAE485A2 BED6E3F8 435C9451 CF2A665B D5DA4FFA
  61EF9AEF 14A45E6A 4B
        quit
!
redundancy

csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535

crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14

crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
!
crypto isakmp diagnose error
!
!
crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip address 10.2.2.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Tunnel0
 ip address negotiated
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 15.0.0.1
 tunnel protection ipsec profile default
!
interface Ethernet0/0
 ip address 25.0.0.2 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 25.0.0.5
!
no cdp advertise-v2

control-plane

alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
ntp server 5.5.5.5
!
end


R3#show run
Building configuration...

Current configuration : 5374 bytes
!
! Last configuration change at 16:03:36 PST Tue Jul 1 2014
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker

no aaa new-model
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180

ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated

crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 serial-number none
 fqdn r3.cbtnuggets.com
 ip-address 35.0.0.3
 subject-name CN=r3,O=cbtnuggets.com
 revocation-check none
 rsakeypair r3.cbtnuggets.com

crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 06
  3082024A 308201B3 A0030201 02020106 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31323031 3131305A 170D3135 30373031
  32303131 31305A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723331 37301506 092A8648 86F70D01 09081308
  33352E30 2E302E33 301E0609 2A864886 F70D0109 02161172 332E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00B1EA0F 0329DF33 D5CE118E BE3215D7 DDA70509 7312ACF5 346EC84A
  C3DE07BE 8EB840BD 427BF130 3F8B02E3 1604ECCD B865AC49 A59602B4 167AFA7F
  0BE75EF4 AC22F6EC 266E2E1C 6947D829 6F045782 8E65AC4E C0BE8010 5BF0149C
  A37902CF FBAD642C BE68AD1B 1BC9F7F3 DCB5BCBF BE9960BE 96753AD8 4014C0D2
  65334830 49020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 E8EAF4BA 661E67B3 16A425E2 43FA702E C5798AB4 301D0603
  551D0E04 16041460 127B3E86 EFE1CDB9 D25E62A1 77E480BE C8DE6F30 0D06092A
  864886F7 0D010105 05000381 81004663 8ACBCFB3 CD3C5D83 98386A62 F3F1931B
  1E5229D3 896F2A22 C933F881 AC762260 B5419243 9168CB3B D9D21ECD 7DAA594B
  8A02E3E4 05F0675E 7E727C48 1407E5C9 9067E9B7 C06AFBAD B85D20C9 344D3EE0
  51312B0C 1619F875 43A0B76E 6FFBF2BF D04B533C 01655FF9 EEA0941E A5008CD2
  5E3F9148 40E14638 43016CD4 254C
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31313833 3732345A 170D3137 30363330
  31383337 32345A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 A198DCFC FA4458DA FED402A2 735A6A47 678FDD5F
  946E78BC C5C23824 1C4CC015 CD2B1909 13C5AD37 A65CE556 D4F6A079 15858690
  2E2AE2DF 3DC0F8C7 9010E5C4 8988FF0B 90CD0455 EEC940B1 6A701018 37571EDB
  F84846A3 3C2DD003 99F6EFA2 796D8974 042AC364 D728AEC8 DA6EEB34 E98DD2E7
  8F2B4DE0 ED945888 1C905DE5 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014E8 EAF4BA66 1E67B316 A425E243 FA702EC5 798AB430 1D060355 1D0E0416
  0414E8EA F4BA661E 67B316A4 25E243FA 702EC579 8AB4300D 06092A86 4886F70D
  01010405 00038181 0060D501 BDF814CE 00DB7902 CE3BEF28 068A065B CD6715E0
  BB34AB1A DD38416A FCC4BA5C CE9DBAEC 31CA42D5 90255556 50EDD297 4264A28D
  C86C8789 CC87DA31 642752D5 1D4BE83D D91631E8 3D35D265 A4A074F2 7A889FD2
  37305219 2C962F4E 817A7CE2 FAE485A2 BED6E3F8 435C9451 CF2A665B D5DA4FFA
  61EF9AEF 14A45E6A 4B
        quit
!
redundancy

csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535

crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14

crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
!
crypto isakmp diagnose error

crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile

interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
 ip address 10.3.3.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Tunnel0
 ip address negotiated
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 15.0.0.1
 tunnel protection ipsec profile default
!
interface Ethernet0/0
 ip address 35.0.0.3 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 35.0.0.5
!
no cdp advertise-v2

control-plane

alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
ntp server 5.5.5.5
!
end


R4#show run
Building configuration...

Current configuration : 5374 bytes
!
! Last configuration change at 16:03:51 PST Tue Jul 1 2014
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker

no aaa new-model
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180

ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated

crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 serial-number none
 fqdn r4.cbtnuggets.com
 ip-address 45.0.0.4
 subject-name CN=r4,O=cbtnuggets.com
 revocation-check none
 rsakeypair r4.cbtnuggets.com

crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 07
  3082024A 308201B3 A0030201 02020107 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31323031 3133395A 170D3135 30373031
  32303131 33395A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723431 37301506 092A8648 86F70D01 09081308
  34352E30 2E302E34 301E0609 2A864886 F70D0109 02161172 342E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00B343F4 E93CD649 7BC99C33 3EDF887E 977BE584 29002562 224C3F55
  AAE65EF1 4966E5B6 714C6BD6 0DBE4A99 5B08C38E 2B263F01 F90802A1 3AEFC4D5
  F6C4843D 2AC5D695 06EA39F7 6F3A4CD4 9253FCCF 8E5FA17D 265CC49B A27BD3D7
  0BABC34C B4DD79EE A560246A 48150AE4 4798327D C4BE1326 5E10F1BF 083DE022
  1F8B81AB F9020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 E8EAF4BA 661E67B3 16A425E2 43FA702E C5798AB4 301D0603
  551D0E04 160414FE A8B17992 5E253531 80017713 C15B5D02 917A5030 0D06092A
  864886F7 0D010105 05000381 81004D17 8AC3681E 3EDEAEF5 797E352A 6DE87B62
  C9A22B7F DFEA1B52 6742EE86 4A7C4719 905B6557 999D02A7 F582E32D 3A21856C
  4D6C15BD 91A3023F B50E90DB C9FF0B37 8FE78CEE 0C46F320 DDBA7771 0B48F05A
  03A7966D 9493CF66 FF945098 E42C7F52 7122DC78 96232F68 E67B5A53 BD4AD682
  A585969C 24E97994 0931E32D F3A1
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31313833 3732345A 170D3137 30363330
  31383337 32345A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 A198DCFC FA4458DA FED402A2 735A6A47 678FDD5F
  946E78BC C5C23824 1C4CC015 CD2B1909 13C5AD37 A65CE556 D4F6A079 15858690
  2E2AE2DF 3DC0F8C7 9010E5C4 8988FF0B 90CD0455 EEC940B1 6A701018 37571EDB
  F84846A3 3C2DD003 99F6EFA2 796D8974 042AC364 D728AEC8 DA6EEB34 E98DD2E7
  8F2B4DE0 ED945888 1C905DE5 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014E8 EAF4BA66 1E67B316 A425E243 FA702EC5 798AB430 1D060355 1D0E0416
  0414E8EA F4BA661E 67B316A4 25E243FA 702EC579 8AB4300D 06092A86 4886F70D
  01010405 00038181 0060D501 BDF814CE 00DB7902 CE3BEF28 068A065B CD6715E0
  BB34AB1A DD38416A FCC4BA5C CE9DBAEC 31CA42D5 90255556 50EDD297 4264A28D
  C86C8789 CC87DA31 642752D5 1D4BE83D D91631E8 3D35D265 A4A074F2 7A889FD2
  37305219 2C962F4E 817A7CE2 FAE485A2 BED6E3F8 435C9451 CF2A665B D5DA4FFA
  61EF9AEF 14A45E6A 4B
        quit
!
redundancy

csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535

crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14

crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
!
crypto isakmp diagnose error
!
!
crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback1
 ip address 10.4.4.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Tunnel0
 ip address negotiated
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 15.0.0.1
 tunnel protection ipsec profile default
!
interface Ethernet0/0
 ip address 45.0.0.4 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
!
ip forward-protocol nd
 ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 45.0.0.5
!
no cdp advertise-v2

control-plane

alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
ntp server 5.5.5.5
!
end

R4#


Posted by at

2 comments:

Subscribe to: Post Comments (Atom)