username test1@example.com password 0 Cisco
username test2@example.com password 0 Cisco
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
!
bba-group pppoe PPPOE-GROUP2
virtual-template 2
!
!
interface Loopback1
ip address 40.40.40.1 255.255.255.255
!
interface Ethernet0/0
no ip address
pppoe enable group PPPOE-GROUP1
!
interface Ethernet0/1
no ip address
pppoe enable group PPPOE-GROUP2
!
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
!
interface Virtual-Template2
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL2
ppp authentication chap
!
ip local pool POOL1 30.30.30.1
ip local pool POOL2 30.30.30.2
---------------------------------------------
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set IPSEC
!
!
!
!
!
!
!
interface Tunnel0
ip address 100.100.100.1 255.255.255.0
tunnel source 30.30.30.1
tunnel mode ipsec ipv4
tunnel destination 30.30.30.2
tunnel protection ipsec profile VTI
!
interface Ethernet0/0
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Ethernet0/1
no ip address
shutdown
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
interface Ethernet1/0
ip address 192.168.2.250 255.255.255.0
!
interface Ethernet1/1
no ip address
shutdown
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
interface Ethernet2/0
no ip address
shutdown
!
interface Ethernet2/1
no ip address
shutdown
!
interface Ethernet2/2
no ip address
shutdown
!
interface Ethernet2/3
no ip address
shutdown
!
interface Ethernet3/0
no ip address
shutdown
!
interface Ethernet3/1
no ip address
shutdown
!
interface Ethernet3/2
no ip address
shutdown
!
interface Ethernet3/3
no ip address
shutdown
!
interface Dialer1
ip address negotiated
ip mtu 1454
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname test1@example.com
ppp chap password 0 Cisco
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.200.0 255.255.255.0 Tunnel0
!
dialer-list 1 protocol ip permit
!
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
!ip route default gateway pp 1
ip route 192.168.2.0/24 gateway tunnel 1
ip lan1 address 192.168.100.1/24
ip lan2 address 192.168.200.250/24
pp select 1
pp always-on on
pppoe use lan1
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname test1@example.com Cisco
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ccp type none
pp enable 1
tunnel select 1
tunnel endpoint address 30.30.30.2
ipsec tunnel 101
ipsec sa policy 101 1 esp 3des-cbc md5-hmac
ipsec ike keepalive use 1 on dpd
ipsec ike local id 1 0.0.0.0/32
ipsec ike pre-shared-key 1 text cisco
ipsec ike remote address 1 30.30.30.1
ipsec ike remote id 1 0.0.0.0/32
tunnel enable 1
ipsec use on
ipsec auto refresh on
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.100.2-192.168.100.191/24
#
IOU1#sh pppoe se
IOU1#sh pppoe session
IOU1#
IOU1#
IOU1#sh cry
IOU1#sh crypto is
IOU1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.100.1 192.168.110.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
IOU1#
IOU1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 192.168.110.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 192.168.100.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.110.1, remote crypto endpt.: 192.168.100.1
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet1/0
current outbound spi: 0x48B08A03(1219529219)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xAADA43C1(2866430913)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4212526/929)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x48B08A03(1219529219)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4212525/929)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
IOU1#
IOU1#
IOU1#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec 3DES+MD5 0 5 5 192.168.110.1
2 IPsec 3DES+MD5 10 0 0 192.168.110.1
1001 IKE MD5+3DES 0 0 0 192.168.110.1
IOU1#
IOU1#
IOU1#sh ip int b
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.2.250 YES manual up up
Ethernet0/1 unassigned YES NVRAM administratively down down
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down
Ethernet1/0 192.168.110.1 YES manual up up
Ethernet1/1 unassigned YES NVRAM administratively down down
Ethernet1/2 unassigned YES NVRAM administratively down down
Ethernet1/3 unassigned YES NVRAM administratively down down
Ethernet2/0 unassigned YES unset administratively down down
Ethernet2/1 unassigned YES unset administratively down down
Ethernet2/2 unassigned YES unset administratively down down
Ethernet2/3 unassigned YES unset administratively down down
Ethernet3/0 unassigned YES unset administratively down down
Ethernet3/1 unassigned YES unset administratively down down
Ethernet3/2 unassigned YES unset administratively down down
Ethernet3/3 unassigned YES unset administratively down down
Tunnel0 100.100.100.1 YES manual up up
IOU1#
IOU1#
IOU1#
IOU1#
IOU1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 100.100.100.0/24 is directly connected, Tunnel0
L 100.100.100.1/32 is directly connected, Tunnel0
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Ethernet0/0
L 192.168.2.250/32 is directly connected, Ethernet0/0
S 192.168.100.0/24 [1/0] via 192.168.110.2
192.168.110.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.110.0/24 is directly connected, Ethernet1/0
L 192.168.110.1/32 is directly connected, Ethernet1/0
S 192.168.200.0/24 is directly connected, Tunnel0
IOU1#
IOU1#
IOU1#
IOU3#
IOU3#sh
crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.10.1 20.20.20.1 QM_IDLE 1001 ACTIVE
20.20.20.1 10.10.10.1 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
IOU3#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.10.10.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 20.20.20.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 20.20.20.1
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet1/0
current outbound spi: 0xF2B9DFE0(4072267744)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x8A840170(2323906928)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/1800)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xF6A7E1CD(4138197453)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: SW:3, sibling_flags 80004040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/1801)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x68D297D6(1758631894)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, sibling_flags 80004040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4251990/1801)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7C666D53(2087087443)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/1800)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xE05FC8BE(3764373694)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: SW:4, sibling_flags 80004040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/1801)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xF2B9DFE0(4072267744)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, sibling_flags 80004040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4251990/1801)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
IOU3#
IOU3#
IOU3#
IOU3#
IOU3# show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec 3DES+MD5 0 0 0 10.10.10.1
2 IPsec 3DES+MD5 0 0 0 10.10.10.1
3 IPsec 3DES+MD5 0 0 0 10.10.10.1
4 IPsec 3DES+MD5 0 0 0 10.10.10.1
5 IPsec 3DES+MD5 0 5 5 10.10.10.1
6 IPsec 3DES+MD5 5 0 0 10.10.10.1
1001 IKE MD5+3DES 0 0 0 10.10.10.1
1002 IKE MD5+3DES 0 0 0 10.10.10.1
IOU3#
+++++++++++++++++++++++++++++++
IOU4#
IOU4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
20.20.20.1 10.10.10.1 QM_IDLE 1002 ACTIVE
10.10.10.1 20.20.20.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
IOU4#
IOU4#
IOU4#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 20.20.20.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.10.10.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.10.10.1
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet1/0
current outbound spi: 0x68D297D6(1758631894)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x7C666D53(2087087443)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/1724)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xE05FC8BE(3764373694)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/1725)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xF2B9DFE0(4072267744)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4364019/1725)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8A840170(2323906928)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/1724)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xF6A7E1CD(4138197453)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4608000/1725)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x68D297D6(1758631894)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4364019/1725)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
IOU4#
IOU4#
IOU4#
IOU4#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1 IPsec 3DES+MD5 0 0 0 20.20.20.1
2 IPsec 3DES+MD5 0 0 0 20.20.20.1
3 IPsec 3DES+MD5 0 0 0 20.20.20.1
4 IPsec 3DES+MD5 0 0 0 20.20.20.1
5 IPsec 3DES+MD5 0 5 5 20.20.20.1
6 IPsec 3DES+MD5 5 0 0 20.20.20.1
1001 IKE MD5+3DES 0 0 0 20.20.20.1
1002 IKE MD5+3DES 0 0 0 20.20.20.1
IOU4#
!
control-plane
!
!
!