OSPF over GRE Over IPsec on GNS3 - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Wednesday, January 18, 2012

OSPF over GRE Over IPsec on GNS3

Continued on the post GRE Tunnel in GNS3

Same topology as GRE one:




  • R1, R2, R3, R4, R5, R6, R7 all uses same IOS : c3640-ik9o3s-mz.124-10.bin. 3600 Software (C3640-IK9O3S-M), Version 12.4(10), RELEASE SOFTWARE (fc1)
  • R5 is acting as Internet Router. It is only configured local interface ip address. No static and dynamic routing configured
  • R1, R3 will be acted as a pair to configure GRE and IPSec Tunnel, and also configured as main link between R6 and R7
  • R2, R4 will be acted as second pair to configure GRE and IPSec Tunnel. It will be set as secondly link between R6 and R7
  • R5 Configuration:
R5#sh run
interface Ethernet0/0
 ip address 1.1.1.2 255.255.255.0
 full-duplex
!
interface Ethernet0/1
 ip address 2.2.2.2 255.255.255.0
 full-duplex
!
interface Ethernet0/2
 ip address 3.3.3.2 255.255.255.0
 full-duplex
!
interface Ethernet0/3
 ip address 4.4.4.2 255.255.255.0
 full-duplex
!
1. R1 Configuration
R1#sh run
Building configuration...
Current configuration : 1336 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 3.3.3.1

!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
 mode transport

!
crypto map vpn 10 ipsec-isakmp
 set peer 3.3.3.1
 set transform-set myset
 match address 101

!
interface Loopback0
 ip address 11.11.11.11 255.255.255.0
!
interface Tunnel0
 ip unnumbered Ethernet0/1
 tunnel source Ethernet0/0
 tunnel destination 3.3.3.1
!
interface Ethernet0/0
 ip address 1.1.1.1 255.255.255.0
 full-duplex
 crypto map vpn
!
interface Ethernet0/1
 ip address 16.16.16.16 255.255.255.0
 shutdown
 full-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 full-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 full-duplex
!
no ip http server
no ip http secure-server
!
ip route 3.3.3.0 255.255.255.0 1.1.1.2
ip route 33.33.33.0 255.255.255.0 Tunnel0
!
!
access-list 101 permit gre host 1.1.1.1 host 3.3.3.1
!
control-plane

line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
end

2. R3 Configuration
R3#sh run
Building configuration...
Current configuration : 1336 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 1.1.1.1

!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
 mode transport

!
crypto map vpn 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set myset
 match address 101
!

!
!
!
interface Loopback0
 ip address 33.33.33.33 255.255.255.0
!
interface Tunnel0
 ip unnumbered Ethernet0/1
 tunnel source Ethernet0/0
 tunnel destination 1.1.1.1
!
interface Ethernet0/0
 ip address 3.3.3.1 255.255.255.0
 full-duplex
 crypto map vpn
!
interface Ethernet0/1
 ip address 37.37.37.37 255.255.255.0
 shutdown
 full-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 full-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 full-duplex
!
no ip http server
no ip http secure-server
!
ip route 1.1.1.0 255.255.255.0 3.3.3.2
ip route 11.11.11.0 255.255.255.0 Tunnel0
!
!
access-list 101 permit gre host 3.3.3.1 host 1.1.1.1
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end
 3. Verification

R3#show crypto isakmp key
Keyring               Hostname/Address                   Preshared Key
default               1.1.1.1                            cisco123
R3#show crypto isakmp peers
Peer: 1.1.1.1 Port: 500 Local: 3.3.3.1
 Phase1 id: 1.1.1.1
R3#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
R3#show crypto isakmp sa
dst             src             state          conn-id slot status
3.3.3.1         1.1.1.1         QM_IDLE              1    0 ACTIVE

R1#ping 33.33.33.33 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 56/127/224 ms
R1#


R3#debug crypto isakmp
Crypto ISAKMP debugging is on
R3#
*Mar  1 01:00:50.155: ISAKMP (0:0): received packet from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA
*Mar  1 01:00:50.159: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*Mar  1 01:00:50.163: ISAKMP: New peer created peer = 0x64AAEB34 peer_handle = 0x80000003
*Mar  1 01:00:50.167: ISAKMP: Locking peer struct 0x64AAEB34, IKE refcount 1 for crypto_isakmp_process_block
*Mar  1 01:00:50.167: ISAKMP: local port 500, remote port 500
*Mar  1 01:00:50.171: insert sa successfully sa = 646DD910
*Mar  1 01:00:50.175: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:00:50.179: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1
*Mar  1 01:00:50.187: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar  1 01:00:50.191: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 01:00:50.195: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 01:00:50.195: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar  1 01:00:50.195: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 01:00:50.199: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 01:00:50.199: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Mar  1 01:00:50.203: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 01:00:50.207: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 01:00:50.211: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar  1 01:00:50.211: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 1.1.1.1
*Mar  1 01:00:50.211: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar  1 01:00:50.211: ISAKMP : Scanning profiles for xauth ...
*Mar  1 01:00:50.211: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
*Mar  1 01:00:50.211: ISAKMP:      encryption DES-CBC
*Mar  1 01:00:50.211: ISAKMP:      hash MD5
*Mar  1 01:00:50.211: ISAKMP:      default group 1
*Mar  1 01:00:50.211: ISAKMP:      auth pre-share
*Mar  1 01:00:50.211: ISAKMP:      life type in seconds
*Mar  1 01:00:50.211: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  1 01:00:50.211: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 01:00:50.227: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-07 ID
*Mar  1 01:00:50.227: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar  1 01:00:50.231: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:00:50.231: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2
*Mar  1 01:00:50.359: ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar  1 01:00:50.367: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:00:50.371: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM2  New State = IKE_R_MM3
*Mar  1 01:00:50.375: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Mar  1 01:00:50.399: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Mar  1 01:00:50.399: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 1.1.1.1
*Mar  1 01:00:50.399: ISAKMP:(0:1:SW:1):SKEYID state generated
*Mar  1 01:00:50.399: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:00:50.399: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Mar  1 01:00:50.399: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:00:50.399: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Mar  1 01:00:50.399: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:00:50.399: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Mar  1 01:00:50.399: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:00:50.399: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM3
*Mar  1 01:00:50.403: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar  1 01:00:50.407: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:00:50.411: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM4
*Mar  1 01:00:50.531: ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar  1 01:00:50.539: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:00:50.543: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5
*Mar  1 01:00:50.551: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Mar  1 01:00:50.555: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 1.1.1.1
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 01:00:50.559: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
*Mar  1 01:00:50.563: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
*Mar  1 01:00:50.571: ISAKMP:(0:1:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 646DD910
*Mar  1 01:00:50.571: ISAKMP:(0:1:SW:1):SA authentication status:
        authenticated
*Mar  1 01:00:50.571: ISAKMP:(0:1:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 3.3.3.1 remote 1.1.1.1 remote port 500
*Mar  1 01:00:50.571: ISAKMP:(0:1:SW:1):SA authentication status:
        authenticated
*Mar  1 01:00:50.571: ISAKMP:(0:1:SW:1):SA has been authenticated with 1.1.1.1
*Mar  1 01:00:50.571: ISAKMP: Trying to insert a peer 3.3.3.1/1.1.1.1/500/,  and inserted successfully 64AAEB34.
*Mar  1 01:00:50.571: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:00:50.571: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5
*Mar  1 01:00:50.571: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 01:00:50.571: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 3.3.3.1
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 01:00:50.575: ISAKMP:(0:1:SW:1):Total payload length: 12
*Mar  1 01:00:50.583: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar  1 01:00:50.587: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:00:50.587: ISAKMP:(0:1:SW:1):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
*Mar  1 01:00:50.595: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 01:00:50.599: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Mar  1 01:00:50.671: ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar  1 01:00:50.675: ISAKMP: set new node -647448370 to QM_IDLE
*Mar  1 01:00:50.687: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -647448370
*Mar  1 01:00:50.687: ISAKMP:(0:1:SW:1): processing SA payload. message ID = -647448370
*Mar  1 01:00:50.691: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar  1 01:00:50.691: ISAKMP: transform 1, ESP_DES
*Mar  1 01:00:50.695: ISAKMP:   attributes in transform:
*Mar  1 01:00:50.695: ISAKMP:      encaps is 2 (Transport)
*Mar  1 01:00:50.695: ISAKMP:      SA life type in seconds
*Mar  1 01:00:50.695: ISAKMP:      SA life duration (basic) of 3600
*Mar  1 01:00:50.695: ISAKMP:      SA life type in kilobytes
*Mar  1 01:00:50.695: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Mar  1 01:00:50.695: ISAKMP:      authenticator is HMAC-MD5
*Mar  1 01:00:50.695: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar  1 01:00:50.699: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = -647448370
*Mar  1 01:00:50.699: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -647448370
*Mar  1 01:00:50.703: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -647448370
*Mar  1 01:00:50.707: ISAKMP:(0:1:SW:1): asking for 1 spis from ipsec
*Mar  1 01:00:50.711: ISAKMP:(0:1:SW:1):Node -647448370, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  1 01:00:50.711: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Mar  1 01:00:50.711: ISAKMP: received ke message (2/1)
*Mar  1 01:00:50.719: ISAKMP: Locking peer struct 0x64AAEB34, IPSEC refcount 1 for for stuff_ke
*Mar  1 01:00:50.723: ISAKMP:(0:1:SW:1): Creating IPSec SAs
*Mar  1 01:00:50.723:         inbound SA from 1.1.1.1 to 3.3.3.1 (f/i)  0/ 0
        (proxy 1.1.1.1 to 3.3.3.1)
*Mar  1 01:00:50.727:         has spi 0xD57BF9FC and conn_id 0 and flags 4
*Mar  1 01:00:50.727:         lifetime of 3600 seconds
*Mar  1 01:00:50.727:         lifetime of 4608000 kilobytes
*Mar  1 01:00:50.727:         has client flags 0x0
*Mar  1 01:00:50.727:         outbound SA from 3.3.3.1 to 1.1.1.1 (f/i) 0/0
        (proxy 3.3.3.1 to 1.1.1.1)
*Mar  1 01:00:50.727:         has spi 1959940862 and conn_id 0 and flags C
*Mar  1 01:00:50.727:         lifetime of 3600 seconds
*Mar  1 01:00:50.727:         lifetime of 4608000 kilobytes
*Mar  1 01:00:50.727:         has client flags 0x0
*Mar  1 01:00:50.727: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
*Mar  1 01:00:50.731: ISAKMP:(0:1:SW:1):Node -647448370, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*Mar  1 01:00:50.735: ISAKMP:(0:1:SW:1):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
*Mar  1 01:00:50.743: ISAKMP: Locking peer struct 0x64AAEB34, IPSEC refcount 2 for from create_transforms
*Mar  1 01:00:50.747: ISAKMP: Unlocking IPSEC struct 0x64AAEB34 from create_transforms, count 1
*Mar  1 01:00:50.843: ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar  1 01:00:50.855: ISAKMP:(0:1:SW:1):deleting node -647448370 error FALSE reason "QM done (await)"
*Mar  1 01:00:50.859: ISAKMP:(0:1:SW:1):Node -647448370, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  1 01:00:50.859: ISAKMP:(0:1:SW:1):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
R3#
4. Packets 
Captured packets on R5 interface

5. Enable OSPF on R1 and R3
@R1

router ospf 100
 router-id 11.11.11.11
 log-adjacency-changes
 network 11.11.11.0 0.0.0.255 area 0
 network 16.16.16.0 0.0.0.255 area 0

@R3
router ospf 100
 router-id 33.33.33.33
 log-adjacency-changes
 network 33.33.33.0 0.0.0.255 area 0
 network 37.37.37.0 0.0.0.255 area 0

6. Show routes on both routers
@R1
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     16.0.0.0/24 is subnetted, 1 subnets
C       16.16.16.0 is directly connected, Ethernet0/1
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Ethernet0/0
     33.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O       33.33.33.33/32 [110/11112] via 37.37.37.37, 00:00:45, Tunnel0
S       33.33.33.0/24 is directly connected, Tunnel0
     3.0.0.0/24 is subnetted, 1 subnets
S       3.3.3.0 [1/0] via 1.1.1.2
     37.0.0.0/24 is subnetted, 1 subnets
O       37.37.37.0 [110/11121] via 37.37.37.37, 00:00:47, Tunnel0
     11.0.0.0/24 is subnetted, 1 subnets
C       11.11.11.0 is directly connected, Loopback0


@R3
R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     16.0.0.0/24 is subnetted, 1 subnets
O       16.16.16.0 [110/11121] via 16.16.16.16, 00:00:35, Tunnel0
     1.0.0.0/24 is subnetted, 1 subnets
S       1.1.1.0 [1/0] via 3.3.3.2
     33.0.0.0/24 is subnetted, 1 subnets
C       33.33.33.0 is directly connected, Loopback0
     3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Ethernet0/0
     37.0.0.0/24 is subnetted, 1 subnets
C       37.37.37.0 is directly connected, Ethernet0/1
     11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O       11.11.11.11/32 [110/11112] via 16.16.16.16, 00:00:37, Tunnel0
S       11.11.11.0/24 is directly connected, Tunnel0

R3#sh ip os nei
Neighbor ID     Pri   State           Dead Time   Address         Interface
11.11.11.11       0   FULL/  -        00:00:36    16.16.16.16     Tunnel0

R3#ping 16.16.16.16 source 37.37.37.37
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 16.16.16.16, timeout is 2 seconds:
Packet sent with a source address of 37.37.37.37
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/95/164 ms
R3#

No comments:

Post a Comment