Cisco IOS – Hub and Spoke VPN with VTI, dual hubs, spokes with redundant internet access

Hub and Spoke VPN with VTI, dual hubs, spokes with redundant internet access

Vti overview.png

Primary

Vti maintunnels.png

Backup

Vti alltunnels.png
Vti routing.png
Topology
Vti topology.png

Hub 1

!
hostname Hub1
!
ip cef
no ip domain lookup
!
virtual-profile virtual-template 1
!
!- Key chain for EIGRP authentication, the same for all hubs/spokes
key chain VTI_CHAIN
 key 10
   key-string whocares
!
!- Shaping is used to test per spoke QoS features, in combination
!- with Policing at ISP2 (to simulate low bandwith backup links)
class-map match-all CM_TEST-SHAPE
 match access-group name ACL_TEST-SHAPE
!
policy-map PM_TEST-SHAPE
 class CM_TEST-SHAPE
  shape average 8000 1000 0
!
!- one IKE policy for all Spokes
crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
!
!- the sample uses a wildcard preshared key
!- for production use, please consider the use of certificate-based spoke authentication
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!- DPD and SPI recovery, to provide faster IPSec reconvergence
!- the DPD keepalives can be more aggressive in the real world
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 30 periodic
!
!- IKE profiles, used to tie IKE requests to the correct VTI, based on
!- the local tunnel address
crypto isakmp profile IKE_PROF_DSL_PRI
   description *** IKE Profile for DSL (primary Hub) ***
   keyring default
   match identity address 0.0.0.0
   virtual-template 1
   local-address 192.0.2.10
crypto isakmp profile IKE_PROF_3G_PRI
   description *** IKE Profile for 3G (primary Hub) ***
   keyring default
   match identity address 0.0.0.0
   virtual-template 2
   local-address 192.0.2.20
!
crypto ipsec transform-set TR_ESP-AES192-SHA1 esp-aes 192 esp-sha-hmac
!
!- IPSec protection suite, used at the VTI interfaces
!- couples the IKE profile, the VTI interface and the
!- IPSec transform set together
crypto ipsec profile IPSEC_PROF_3G_PRI
 description *** IPSec Profile for 3G (primary Hub) ***
 set transform-set TR_ESP-AES192-SHA1
 set pfs group2
 set isakmp-profile IKE_PROF_3G_PRI
!
crypto ipsec profile IPSEC_PROF_DSL_PRI
 description *** IPSec Profile for DSL (primary Hub) ***
 set transform-set TR_ESP-AES192-SHA1
 set pfs group2
 set isakmp-profile IKE_PROF_DSL_PRI
!
!- Loopback for management and for the Tunnel network
!- (Tunnel interfaces are unnumbered)
interface Loopback1
 description *** This box (primary Hub) ***
 ip address 198.18.1.1 255.255.255.255
!
!- Loopback address, used as the spoke tunnel destination
!- for the 1st preferred tunnel
interface Loopback10
 description *** Tunnel Source for DSL (primary Hub) ***
 ip address 192.0.2.10 255.255.255.255
!
!- Loopback address, used as the spoke tunnel destination
!- for the 3rd most preferred tunnel
interface Loopback20
 description *** Tunnel Source for 3G (primary Hub) ***
 ip address 192.0.2.20 255.255.255.255
!
interface Ethernet0/0
 description *** Inside (primary Hub) ***
 bandwidth 10000
 ip address 198.18.18.253 255.255.255.0
 half-duplex
 standby 1 ip 198.18.18.254
 standby 1 priority 105
 standby 1 preempt
!
interface Ethernet0/1
 description *** Outside (primary Hub) ***
 ip address 192.0.2.2 255.255.255.248
 half-duplex
!
interface Ethernet0/2
 description *** Hub Transfer Network (primary Hub) ***
 bandwidth 10000000
 ip address 198.18.17.1 255.255.255.252
 half-duplex
!
!- the first Virtual Template Interface (1st preferred tunnel)
!- Virtual Access interfaces for gets cloned, based on this template
!
interface Virtual-Template1 type tunnel
 description *** Tunnel Template for DSL (primary Hub) ***
 bandwidth 4000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 ip summary-address eigrp 1 0.0.0.0 0.0.0.0 255
 logging event subif-link-status
!- delay gets adjusted
 delay 1000
 tunnel source Loopback10
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROF_DSL_PRI
!
!- the second Virtual Template Interface (3rd most preferred tunnel)
!- Virtual Access interfaces for gets cloned, based on this template
!
interface Virtual-Template2 type tunnel
 description *** Tunnel Template for 3G (primary Hub) ***
 bandwidth 4000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 ip summary-address eigrp 1 0.0.0.0 0.0.0.0 255
 logging event subif-link-status
!- delay gets adjusted
 delay 3000
 tunnel source Loopback20
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROF_3G_PRI
 service-policy output PM_TEST-SHAPE
!
router eigrp 1
!- its not possible to use passive-i default, this would disable EIGRP on
!- cloned interfaces (bug CSCtg84649)
 passive-interface Ethernet0/0
 passive-interface Ethernet0/1
 network 198.18.0.0 0.0.255.255
!- only delay shall be included in metric calculation
 metric weights 0 0 0 1 0 0
 default-metric 1000 1 255 1 1500
 no auto-summary
!
!- BGP is not required for VTI, its only used to advertise the
!- tunnel endpoint loopbacks to ISP1 in this test scenario
router bgp 65535
 no synchronization
 bgp log-neighbor-changes
 network 192.0.2.10 mask 255.255.255.255
 network 192.0.2.20 mask 255.255.255.255
 neighbor 192.0.2.1 remote-as 65500
 neighbor 192.0.2.3 remote-as 65535
 no auto-summary
!
!- route the internal data network
ip route 198.18.0.0 255.254.0.0 198.18.18.1
!
ip access-list extended ACL_TEST-SHAPE
 permit icmp any any echo
 permit icmp any any echo-reply
!
end

Hub 2

!
hostname Hub2
!
ip cef
no ip domain lookup
!
virtual-profile virtual-template 1
!
key chain VTI_CHAIN
 key 10
   key-string whocares
!
class-map match-all CM_TEST-SHAPE
 match access-group name ACL_TEST-SHAPE
!
policy-map PM_TEST-SHAPE
 class CM_TEST-SHAPE
  shape average 8000 1000 0
!
crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
!
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 30 periodic
!
crypto isakmp profile IKE_PROF_DSL_SEC
   description *** IKE Profile for DSL (secondary Hub) ***
   keyring default
   match identity address 0.0.0.0
   virtual-template 1
   local-address 192.0.2.11
crypto isakmp profile IKE_PROF_3G_SEC
   description *** IKE Profile for 3G (secondary Hub) ***
   keyring default
   match identity address 0.0.0.0
   virtual-template 2
   local-address 192.0.2.21
!
!
crypto ipsec transform-set TR_ESP-AES192-SHA1 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile IPSEC_PROF_3G_SEC
 description *** IPSec Profile for 3G (secondary Hub) ***
 set transform-set TR_ESP-AES192-SHA1
 set pfs group2
 set isakmp-profile IKE_PROF_3G_SEC
!
crypto ipsec profile IPSEC_PROF_DSL_SEC
 description *** IPSec Profile for DSL (secondary Hub) ***
 set transform-set TR_ESP-AES192-SHA1
 set pfs group2
 set isakmp-profile IKE_PROF_DSL_SEC
!
interface Loopback1
 description *** This box (secondary Hub) ***
 ip address 198.18.1.2 255.255.255.255
!
interface Loopback11
 description *** Tunnel Source for DSL (secondary Hub) ***
 ip address 192.0.2.11 255.255.255.255
!
interface Loopback21
 description *** Tunnel Source for 3G (secondary Hub) ***
 ip address 192.0.2.21 255.255.255.255
!
interface Ethernet0/0
 description *** Inside (secondary Hub) ***
 bandwidth 10000
 ip address 198.18.18.252 255.255.255.0
 half-duplex
 standby 1 ip 198.18.18.254
 standby 1 preempt
!
interface Ethernet0/1
 description *** Outside (secondary Hub) ***
 ip address 192.0.2.3 255.255.255.248
 half-duplex
!
interface Ethernet0/2
 description *** Hub Transfer Network (secondary Hub) ***
 bandwidth 10000000
 ip address 198.18.17.2 255.255.255.252
 half-duplex
!
interface Virtual-Template1 type tunnel
 description *** Tunnel Template for DSL (secondary Hub) ***
 bandwidth 4000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 ip summary-address eigrp 1 0.0.0.0 0.0.0.0 255
 logging event subif-link-status
 delay 2000
 tunnel source Loopback11
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROF_DSL_SEC
!
interface Virtual-Template2 type tunnel
 description *** Tunnel Template for 3G (secondary Hub) ***
 bandwidth 4000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 ip summary-address eigrp 1 0.0.0.0 0.0.0.0 255
 logging event subif-link-status
 delay 4000
 tunnel source Loopback21
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROF_3G_SEC
 service-policy output PM_TEST-SHAPE
!
router eigrp 1
 passive-interface Ethernet0/0
 passive-interface Ethernet0/1
 network 198.18.0.0 0.0.255.255
 metric weights 0 0 0 1 0 0
 no auto-summary
!
router bgp 65535
 no synchronization
 bgp log-neighbor-changes
 network 192.0.2.11 mask 255.255.255.255
 network 192.0.2.21 mask 255.255.255.255
 neighbor 192.0.2.1 remote-as 65500
 neighbor 192.0.2.2 remote-as 65535
 no auto-summary
!
ip route 198.18.0.0 255.254.0.0 198.18.18.1
!
ip access-list extended ACL_TEST-SHAPE
 permit icmp any any echo
 permit icmp any any echo-reply
!

Spoke 1

!
hostname Spoke1
!
ip cef
!
vpdn enable
!
!
!
key chain VTI_CHAIN
 key 10
   key-string whocares
!
crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
!
crypto isakmp key cisco address 192.0.2.10
crypto isakmp key cisco address 192.0.2.11
crypto isakmp key cisco address 192.0.2.20
crypto isakmp key cisco address 192.0.2.21
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 30 periodic
!
crypto ipsec transform-set TR_ESP-AES192-SHA1 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile IPSEC_PROF_ALL
 set transform-set TR_ESP-AES192-SHA1
 set pfs group2
!
bba-group pppoe global
!
interface Loopback1
 description *** This box (Spoke) ***
 ip address 198.18.248.1 255.255.255.255
!
interface Tunnel10
 description *** Tunnel via DSL to primary Hub ***
 bandwidth 4000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 delay 10
 tunnel source Dialer1
 tunnel destination 192.0.2.10
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile IPSEC_PROF_ALL
!
interface Tunnel11
 description *** Tunnel via DSL to secondary Hub ***
 bandwidth 4000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 delay 11
 tunnel source Dialer1
 tunnel destination 192.0.2.11
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile IPSEC_PROF_ALL
!
interface Tunnel20
 description *** Tunnel via 3G to primary Hub ***
 bandwidth 4000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 delay 200
 tunnel source Dialer2
 tunnel destination 192.0.2.20
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile IPSEC_PROF_ALL
!
interface Tunnel21
 description *** Tunnel via 3G to secondary Hub ***
 bandwidth 4000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 delay 210
 tunnel source Dialer2
 tunnel destination 192.0.2.21
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile IPSEC_PROF_ALL
!
interface Ethernet0/0
 description *** LAN ***
 ip address 198.19.1.1 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 description *** ISP1 PPPoE/ADSL ***
 no ip address
 half-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Serial1/1
 description *** ISP2 PPP/3G ***
 no ip address
 encapsulation ppp
 dialer in-band
 dialer pool-member 2
 dialer-group 2
 keepalive 10 3
 pulse-time 1
!
interface Dialer1
 description *** PPPoE/ADSL Dialer ***
 ip address negotiated
 encapsulation ppp
 logging event subif-link-status
 dialer pool 1
 dialer idle-timeout 0
 dialer string 1234
 dialer persistent
 dialer-group 1
 keepalive 5
 ppp authentication pap callin
 ppp direction callout
 ppp pap sent-username Spoke1 password 0 cisco
 ppp ipcp address accept
!
interface Dialer2
 description *** PPP/3G Dialer ***
 ip address negotiated
 encapsulation ppp
 logging event subif-link-status
 dialer pool 2
 dialer idle-timeout 0
 dialer string 1234
 dialer persistent
 dialer-group 2
 keepalive 5
 ppp authentication pap callin
 ppp direction callout
 ppp pap sent-username Spoke1 password 0 cisco1
 ppp ipcp address accept
!
router eigrp 1
 passive-interface default
 no passive-interface Tunnel10
 no passive-interface Tunnel11
 no passive-interface Tunnel20
 no passive-interface Tunnel21
 network 198.18.0.0 0.1.255.255
 metric weights 0 0 0 1 0 0
 no auto-summary
 eigrp stub connected summary
!
ip route 192.0.2.10 255.255.255.255 Dialer1
ip route 192.0.2.11 255.255.255.255 Dialer1
ip route 192.0.2.20 255.255.255.255 Dialer2
ip route 192.0.2.21 255.255.255.255 Dialer2
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!

Spoke 2

!
hostname Spoke2
!
ip cef
no ip domain lookup
!
vpdn enable
!
key chain VTI_CHAIN
 key 10
   key-string whocares
!
crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
!
crypto isakmp key cisco address 192.0.2.10
crypto isakmp key cisco address 192.0.2.11
crypto isakmp key cisco address 192.0.2.20
crypto isakmp key cisco address 192.0.2.21
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 30 periodic
!
crypto ipsec transform-set TR_ESP-AES192-SHA1 esp-aes 192 esp-sha-hmac
!
crypto ipsec profile IPSEC_PROF_ALL
 set transform-set TR_ESP-AES192-SHA1
 set pfs group2
!
bba-group pppoe global
!
interface Loopback1
 description *** This box (Spoke) ***
 ip address 198.18.248.2 255.255.255.255
!
interface Tunnel10
 description *** Tunnel via DSL to primary Hub ***
 bandwidth 4000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 delay 10
 tunnel source Dialer1
 tunnel destination 192.0.2.10
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile IPSEC_PROF_ALL
!
interface Tunnel11
 description *** Tunnel via DSL to secondary Hub ***
 bandwidth 3000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 delay 11
 tunnel source Dialer1
 tunnel destination 192.0.2.11
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile IPSEC_PROF_ALL
!
interface Tunnel20
 description *** Tunnel via 3G to primary Hub ***
 bandwidth 2000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 delay 200
 tunnel source Dialer2
 tunnel destination 192.0.2.20
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile IPSEC_PROF_ALL
!
interface Tunnel21
 description *** Tunnel via 3G to secondary Hub ***
 bandwidth 4000
 ip unnumbered Loopback1
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 VTI_CHAIN
 delay 210
 tunnel source Dialer2
 tunnel destination 192.0.2.21
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile IPSEC_PROF_ALL
!
interface Ethernet0/0
 description *** LAN ***
 ip address 198.19.2.1 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 description *** ISP1 PPPoE/ADSL ***
 no ip address
 half-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Serial1/1
 description *** ISP2 PPP/3G ***
 no ip address
 encapsulation ppp
 dialer in-band
 dialer pool-member 2
 dialer-group 1
 keepalive 10 3
 pulse-time 1
!
interface Dialer1
 description *** PPPoE/ADSL Dialer ***
 ip address negotiated
 encapsulation ppp
 logging event subif-link-status
 dialer pool 1
 dialer idle-timeout 0
 dialer string 1234
 dialer persistent
 dialer-group 1
 keepalive 5
 ppp authentication pap callin
 ppp direction callout
 ppp pap sent-username Spoke2 password 0 cisco
 ppp ipcp address accept
!
interface Dialer2
 description *** PPP/3G Dialer ***
 ip address negotiated
 encapsulation ppp
 logging event subif-link-status
 dialer pool 2
 dialer idle-timeout 0
 dialer string 1234
 dialer persistent
 dialer-group 2
 keepalive 5
 ppp authentication pap callin
 ppp direction callout
 ppp pap sent-username Spoke2 password 0 cisco1
 ppp ipcp address accept
!
router eigrp 1
 passive-interface default
 no passive-interface Tunnel10
 no passive-interface Tunnel11
 no passive-interface Tunnel20
 no passive-interface Tunnel21
 network 198.18.0.0 0.1.255.255
 metric weights 0 0 0 1 0 0
 no auto-summary
 eigrp stub connected summary
!
ip route 192.0.2.10 255.255.255.255 Dialer1
ip route 192.0.2.11 255.255.255.255 Dialer1!
hostname ISP1
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default none
aaa authentication ppp dial local
!
aaa session-id common
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
virtual-profile virtual-template 1
!
vpdn enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username Spoke1 password 0 cisco
username Spoke2 password 0 cisco
!
!
!
!
!
!
bba-group pppoe global
 virtual-template 1
!
!
interface Loopback1
 description *** This box ***
 ip address 192.0.2.127 255.255.255.255
!
interface Serial0/0
 description *** Uplink to ISP2, AS 65000 ***
 ip address 192.0.2.8 255.255.255.254
 ip verify unicast source reachable-via rx
 serial restart-delay 0
 clock rate 128000
!
interface Serial0/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial0/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial0/3
 no ip address
 serial restart-delay 0
 clock rate 128000
!
interface Ethernet1/0
 description *** Downstream AS 65535 ***
 ip address 192.0.2.1 255.255.255.248
 ip verify unicast source reachable-via rx
 half-duplex
!
interface Ethernet1/1
 description *** Spoke 1 PPPoE ***
 no ip address
 half-duplex
 pppoe enable group global
!
interface Ethernet1/2
 description *** Spoke 2 PPPoE ***
 no ip address
 half-duplex
 pppoe enable group global
!
interface Ethernet1/3
 no ip address
 shutdown
 half-duplex
!
interface Virtual-Template1
 description *** Template to clone PPPoE sessions ***
 ip unnumbered Loopback1
 ip verify unicast source reachable-via rx
 peer default ip address pool DIALPOOL
 ppp authentication pap dial
!
router bgp 65500
 no synchronization
 bgp log-neighbor-changes
 aggregate-address 192.0.2.64 255.255.255.224 summary-only
 redistribute connected
 neighbor 192.0.2.2 remote-as 65535
 neighbor 192.0.2.3 remote-as 65535
 neighbor 192.0.2.9 remote-as 65000
 no auto-summary
!
ip local pool DIALPOOL 192.0.2.64 192.0.2.95
ip http server
no ip http secure-server
!
!
!
!
!
!

ip route 192.0.2.20 255.255.255.255 Dialer2
ip route 192.0.2.21 255.255.255.255 Dialer2
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!

ISP 1

!
hostname ISP1
!
aaa new-model
!
aaa authentication login default none
aaa authentication ppp dial local
!
ip cef
no ip domain lookup
!
virtual-profile virtual-template 1
!
vpdn enable
!
username Spoke1 password 0 cisco
username Spoke2 password 0 cisco
!
bba-group pppoe global
 virtual-template 1
!
interface Loopback1
 description *** This box ***
 ip address 192.0.2.127 255.255.255.255
!
interface Serial0/0
 description *** Uplink to ISP2, AS 65000 ***
 ip address 192.0.2.8 255.255.255.254
 ip verify unicast source reachable-via rx
 serial restart-delay 0
 clock rate 128000
!
interface Ethernet1/0
 description *** Downstream AS 65535 ***
 ip address 192.0.2.1 255.255.255.248
 ip verify unicast source reachable-via rx
 half-duplex
!
interface Ethernet1/1
 description *** Spoke 1 PPPoE ***
 no ip address
 half-duplex
 pppoe enable group global
!
interface Ethernet1/2
 description *** Spoke 2 PPPoE ***
 no ip address
 half-duplex
 pppoe enable group global
!
interface Virtual-Template1
 description *** Template to clone PPPoE sessions ***
 ip unnumbered Loopback1
 ip verify unicast source reachable-via rx
 peer default ip address pool DIALPOOL
 ppp authentication pap dial
!
router bgp 65500
 no synchronization
 bgp log-neighbor-changes
 aggregate-address 192.0.2.64 255.255.255.224 summary-only
 redistribute connected
 neighbor 192.0.2.2 remote-as 65535
 neighbor 192.0.2.3 remote-as 65535
 neighbor 192.0.2.9 remote-as 65000
 no auto-summary
!
ip local pool DIALPOOL 192.0.2.64 192.0.2.95
!

ISP 2

!
hostname ISP2
!
aaa new-model
!
aaa authentication login default none
aaa authentication ppp dial local
!
ip cef
no ip domain lookup
!
virtual-profile virtual-template 1
!
vpdn enable
!
username Spoke1 password 0 cisco1
username Spoke2 password 0 cisco1
!
policy-map PM_POLICE_EGRESS
 class class-default
    police 16000 conform-action transmit  exceed-action drop
policy-map PM_POLICE_INGRESS
 class class-default
    police 16000 conform-action transmit  exceed-action drop
!
bba-group pppoe global
 virtual-template 1
!
interface Loopback1
 description *** This box ***
 ip address 192.0.2.255 255.255.255.255
!
interface Serial0/0
 description *** Spoke 1 PPP Dialup (3G) ***
 no ip address
 ip verify unicast source reachable-via rx
 encapsulation ppp
 keepalive 10 2
 serial restart-delay 120
 clock rate 128000
!
interface Serial0/1
 description *** Spoke 2 PPP Dialup (3G) ***
 no ip address
 ip verify unicast source reachable-via rx
 encapsulation ppp
 keepalive 10 2
 serial restart-delay 120
 clock rate 128000
!
interface Serial0/2
 description *** Uplink to ISP1, AS 65500 ***
 ip address 192.0.2.9 255.255.255.254
 ip verify unicast source reachable-via rx
 serial restart-delay 0
 clock rate 128000
!
interface Virtual-Template1
 description *** Template to clone PPP/3G sessions ***
 ip unnumbered Loopback1
 ip verify unicast source reachable-via rx
 peer default ip address pool DIALPOOL
 ppp authentication pap dial
 service-policy input PM_POLICE_INGRESS
 service-policy output PM_POLICE_EGRESS
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 aggregate-address 192.0.2.192 255.255.255.224 summary-only
 redistribute connected
 neighbor 192.0.2.8 remote-as 65500
 no auto-summary
!
ip local pool DIALPOOL 192.0.2.192 192.0.2.222
!

“FW”

!
hostname FW
!
no ip routing
!
interface Ethernet0/0
 ip address 198.18.18.1 255.255.255.0
 no ip route-cache
 half-duplex
!
ip default-gateway 198.18.18.254
!

Configuration | VPN

This entry was posted in Cisco and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s