Phase 2 with EIGRP

 

HUB

HUB(config)#router eigrp 12 

HUB(config-router)#network 1.1.1.1 0.0.0.0 

HUB(config-router)#network 192.168.10.1 0.0.0.0 

HUB(config-router)#no auto-summary 

 

Spoke-1 

Spoke-1(config-if)#router eigrp 12 

Spoke-1(config-router)#network 2.2.2.2 0.0.0.0 

Spoke-1(config-router)#network 192.168.10.2 0.0.0.0 

Spoke-1(config-router)#no auto-summary 

 

Spoke-2 

Spoke-2(config)#router eigrp 12 

Spoke-2(config-router)#network 3.3.3.3 0.0.0.0 

Spoke-2(config-router)#network 192.168.10.3 0.0.0.0 

Spoke-2(config-router)#no auto-summary 

 

Spoke-2 

Spoke-2(config)#router eigrp 12 

Spoke-2(config-router)#network 3.3.3.3 0.0.0.0 

Spoke-2(config-router)#network 192.168.10.3 0.0.0.0 

Spoke-2(config-router)#no auto-summary 

 
Kita lakukan verifikasi routing eigrp nya 

HUB 

HUB#show ip eigrp neighbors EIGRP 

IPv4 Neighbors for AS(12) 

HAddress Interface Hold Uptime SRTT RTO Q Seq 

                                                 (sec) (ms) Cnt Num 

1 192.168.10.3             Tu0                    12 00:04:25 82 1434 0 3 

0 192.168.10.2             Tu0                    14 00:04:47 64 1434 0 4 

 

HUB 

HUB#show ip route eigrp 

Gateway of last resort is 12.12.12.2 to network 0.0.0.0 

    2.0.0.0/32 is subnetted, 1 subnets 

D     2.2.2.2 [90/27008000] via 192.168.10.2, 00:18:49, Tunnel0 

    3.0.0.0/32 is subnetted, 1 subnets 

D     3.3.3.3 [90/27008000] via 192.168.10.3, 00:18:31, Tunnel0 

 

Kita Cek juga nih teman-teman routing eigrp pada setiap router Spoke nya 

Spoke-1 

Spoke-1#sh ip route eigrp 

      1.0.0.0/32 is subnetted, 1 subnets 

D………........1.1.1.1 [90/27008000] via 192.168.10.1, 00:25:05, Tunnel0 

 

Spoke-2 

      Spoke-2#show ip route eigrp 1.0.0.0/32 is subnetted, 1 subnets 

D…………………1.1.1.1 [90/27008000] via 192.168.10.1, 00:25:21, Tunnel0 

HUB 

HUB(config)#int tun0 

HUB(config-if)#no ip split-horizon eigrp 12 

 

Spoke-1

          Spoke-1#sh ip route eigrp 

    1.0.0.0/32 is subnetted, 1 subnets 

D     1.1.1.1 [90/27008000] via 192.168.10.1, 00:26:50, Tunnel0 

    3.0.0.0/32 is subnetted, 1 subnets 

D     3.3.3.3 [90/28288000] via 192.168.10.1, 00:00:04, Tunnel0  

 

Spoke-2 

Spoke-2#show ip route eigrp 

1.0.0.0/32 is subnetted, 1 subnets 

D 1.1.1.1 [90/27008000] via 192.168.10.1, 00:41:42, Tunnel0 

2.0.0.0/32 is subnetted, 1 subnets 

D 2.2.2.2 [90/28288000] via 192.168.10.1, 00:15:28, Tunnel0 

 

Sekarang kita akan lakukan tes ping

 

Spoke-1 

Spoke-1#ping 3.3.3.3 

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: 

!!!!! 

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/62/76 ms 

 

Spoke-1#ping 1.1.1.1 

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: 

!!!!! 

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/50/56 ms 

 Phase 2 DMVPN

HUB

HUB(config)#int tunnel0

HUB(config-if)#ip add 192.168.10.1 25

HUB(config-if)#ip add 192.168.10.1 255.255.255.0

HUB(config-if)#tunnel mode gre multipoint

HUB(config-if)#tunnel source 12.12.12.1

HUB(config-if)#ip nhrp network-id 1

HUB(config-if)#ip nhrp authentication IDN

HUB(config-if)#ip nhrp map multicast dynamic

SPOKE 1

Spoke-1(config)#int tun0

Spoke-1(config-if)#ip add 192.168.10.2 255.255.255.0

Spoke-1(config-if)#tunnel mode gre multipoint

Spoke-1(config-if)#tunnel source 23.23.23.1

Spoke-1(config-if)#ip nhrp network-id 1

Spoke-1(config-if)#ip nhrp authentication IDN

Spoke-1(config-if)#ip nhrp map 192.168.10.1 12.12.12.1 Spoke-

1(config-if)#ip nhrp nhs 192.168.10.1

Spoke-1(config-if)#ip nhrp map multicast 12.12.12.1 

SPOKE 2

Spoke-2(config)#int tun0

Spoke-2(config-if)#ip add 192.168.10.3 255.255.255.0

Spoke-2(config-if)#tunnel mode gre multipoint

Spoke-2(config-if)#tunnel source 24.24.24.1

Spoke-2(config-if)#ip nhrp network-id 1

Spoke-2(config-if)#ip nhrp authentication IDN

Spoke-2(config-if)#ip nhrp map 192.168.10.1 12.12.12.1

Spoke-2(config-if)#ip nhrp nhs 192.168.10.1

Spoke-2(config-if)#ip nhrp map multicast 12.12.12.1

Kita verifikasi

HUB

HUB#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

 N - NATed, L - Local, X - No Socket

    # Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

Interface: Tunnel0, IPv4 NHRP Details

Type:Hub, NHRP Peers:2,

 # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 23.23.23.1...........................192.168.10.2      UP 00:26:05 D

1 24.24.24.1                               192.168.10.3     UP 00:23:50 D 

Verifikasi NHRP 

HUB

HUB#show ip nhrp

192.168.10.2/32 via 192.168.10.2

  Tunnel0 created 00:26:09, expire 01:33:50

  Type: dynamic, Flags: unique registered used

  NBMA address: 23.23.23.1

192.168.10.3/32 via 192.168.10.3

  Tunnel0 created 00:23:54, expire 01:36:05

  Type: dynamic, Flags: unique registered used

  NBMA address: 24.24.24.1

HUB#show ip nhrp brief

   Target         Via             NBMA     Mode     Intfc             Claimed

192.168.10.2/32     192.168.10.2..................... 23.23.23.1 dynamic Tu0  < >

192.168.10.3/32     192.168.10.3                         24.24.24.1 dynamic Tu0  < >

Phase 1 with ipsec

HUB

HUB(config)#crypto isakmp key IDN_MANTAB address 23.23.23.1

HUB(config)#crypto isakmp key IDN_MANTAB address 24.24.24.1

Spoke-1, Spoke-2

Spoke-1,Spoke-2(config)#crypto isakmp key IDN_MANTAB address 12.12.12.1

HUB

HUB(config)#crypto ipsec transform-set IDN_TRANSFORM esp-aes esp-sha

hmac

HUB(cfg-crypto-trans)#mode transport

HUB(cfg-crypto-trans)#exit

HUB(config)#crypto ipsec profile IDN_PROFILE

HUB(ipsec-profile)#set transform-set IDN_TRANSFORM

Spoke-1

Spoke-1(config)#crypto ipsec transform-set IDN_TRANSFORM esp-aes esp-sha-hmac

Spoke-1(cfg-crypto-trans)#mode transport

Spoke-1(cfg-crypto-trans)#exit

Spoke-1(config)#crypto ipsec profile IDN_PROFILE

Spoke-1(ipsec-profile)#set transform-set IDN_TRANSFORM

Spoke-2

Spoke-2(config)#crypto ipsec transform-set IDN_TRANSFORM esp-aes esp-sha-hmac

Spoke-2(cfg-crypto-trans)#mode transport

Spoke-2(cfg-crypto-trans)#exit

Spoke-2(config)#crypto ipsec profile IDN_PROFILE

Spoke-2(ipsec-profile)#set transform-set IDN_TRANSFORM

Hub, Spoke1 dan Spoke2

Hub,Spoke1,Spoke2(config)#int tun0

Hub,Spoke1,Spoke2(config-if)#tunnel protect ipsec profile IDN_PROFILE

Setelah setting ip-secdi interface tunnel, selanjutnya kita akan verfiksi ip-sec nya.

HUB

HUB#show crypto isakmp sa IPv4 Crypto ISAKMP SA

dst src state conn-id status

23.23.23.1................12.12.12.1 QM_IDLE 1003 ACTIVE

12.12.12.1 24.24.24.1 QM_IDLE 1002 ACTIVE

12.12.12.1 23.23.23.1 QM_IDLE 1001 ACTIVE

24.24.24.1 12.12.12.1 QM_IDLE 1004 ACTIVE

IPv6 Crypto ISAKMP SA

Verifikasi,.

Spoke-1

Spoke-1#show crypto isakmp sa IPv4 Crypto ISAKMP SA

dst src state conn-id status

12.12.12.1 23.23.23.1 QM_IDLE 1001 ACTIVE

23.23.23.1 12.12.12.1 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

Spoke-2

Spoke-2#show crypto isakmp sa IPv4 Crypto ISAKMP SA

dst src state conn-id status

12.12.12.1 24.24.24.1 QM_IDLE 1001 ACTIVE

24.24.24.1 12.12.12.1 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

 

Phase 1 with ospf

Hapus terlebih dahulu routing eigrp sebelumnya

HUB

HUB(config)#router ospf 12

HUB(config-router)#network 1.1.1.1 0.0.0.0 area 0

HUB(config-router)#network 192.168.10.0 0.0.0.255 area 0

HUB(config-router)#int tun0

HUB(config-if)#ip ospf network broadcast

Spoke-1

Spoke-1(config)#router ospf 12

Spoke-1(config-router)#network 2.2.2.2 0.0.0.0 area 0

Spoke-1(config-router)#network 192.168.10.0 0.0.0.255 area 0

Spoke-1(config-router)#int tun0

Spoke-1(config-if)#ip ospf network broadcast

Spoke-2

Spoke-2(config)#router ospf 12

Spoke-2(config-router)#network 3.3.3.3 0.0.0.0 area 0

Spoke-2(config-router)#network 192.168.10.0 0.0.0.255 area 0

Spoke-2(config-router)#int tun0

Spoke-2(config-if)#ip ospf network broadcast

Nah Sekarang kita akan Lakukan Verifikasi 

HUB

HUB#show ip ospf int tun0

Tunnel0 is up, line protocol is up

Internet Address 192.168.10.1/24, Area 0, Attached via Network

Statement

Process ID 12, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1000

Topology-MTID Cost Disabled Shutdown Topology Name

0 1000 no no Base

Transmit Delay is 1 sec, State DR, Priority 1

Designated Router (ID) 1.1.1.1, Interface address 192.168.10.1

Backup Designated router (ID) 3.3.3.3, Interface address 192.168.10.3

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

oob-resync timeout 40

Hello due in 00:00:07

Supports Link-local Signaling (LLS)

Cisco NSF helper support enabled

IETF NSF helper support enabled

Index 2/2, flood queue length 0

Next 0x0(0)/0x0(0)

Last flood scan length is 1, maximum is 1

Last flood scan time is 0 msec, maximum is 4 msec

Neighbor Count is 2, Adjacent neighbor count is 2

Adjacent with neighbor 2.2.2.2

Adjacent with neighbor 3.3.3.3 (Backup Designated Router)

Suppress hello for 0 neighbor(s)

Sekarang kita lakukan ping

Spoke-1

Spoke-1#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/76 ms 

Spoke-1#ping 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/92/108 ms

Coba Lakukan Cek Trace route

Spoke-1

Spoke-1#traceroute 3.3.3.3

Type escape sequence to abort. Tracing the route to

3.3.3.3 VRF info: (vrf in name/id, vrf out name/id)

1 192.168.10.1 124 msec 48 msec 108 msec

2 192.168.10.3 164 msec 128 msec *

Spoke-1#traceroute 3.3.3.3

Type escape sequence to abort.Tracing the route to

3.3.3.3 VRF info: (vrf in name/id, vrf out name/id)

1 192.168.10.1 64 msec 180 msec 132 msec

2 192.168.10.3 160 msec 112 msec *

 

Phase 1 with EIGRP

HUB

HUB(config)#int loopback0

HUB(config-if)#ip add 1.1.1.1 255.255.255.255

HUB(config-if)#ex

HUB(config)#interface tunnel0

HUB(config-if)#ip nhrp map multicast dynamic

HUB(config-if)#ex

HUB(config)#router eigrp 12

HUB(config-router)#net 1.1.1.1 0.0.0.0

HUB(config-router)#net 192.168.10.1 0.0.0.0

HUB(config-router)#no auto-summary

HUB(config-router)#int tunnel0

HUB(config-if)#no ip split-horizon eigrp 12

SPOKE 1

Spoke-1(config)#int loopback0

Spoke-1(config-if)#ip add 2.2.2.2 255.255.255.255

Spoke-1(config-if)#ex

Spoke-1(config)#int tunnel0

Spoke-1(config-if)#ip nhrp map multicast 12.12.12.1

Spoke-1(config-if)#ex

Spoke-1(config)#router eigrp 12

Spoke-1(config-router)#net 2.2.2.2 0.0.0.0

Spoke-1(config-router)#net 192.168.10.2 0.0.0.0

Spoke-1(config-router)#no auto-summary

SPOKE 2

Spoke-2(config)#int loopback0

Spoke-2(config-if)#ip add 3.3.3.3 255.255.255.255

Spoke-2(config-if)#ex

Spoke-2(config-if)#int tun0

Spoke-2(config-if)#ip nhrp map multicast 12.12.12.1

Spoke-2(config-if)#ex

Spoke-2(config)#router eigrp 12

Spoke-2(config-router)#net 3.3.3.3 0.0.0.0

Spoke-2(config-router)#net 192.168.10.3 0.0.0.0

Spoke-2(config-router)#no auto-summary

Kita cek ping

HUB

HUB#ping 2.2.2.2 Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 47/65/86 ms

SPOKE 1

Spoke-1#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/76/116 ms

SPOKE 2

Spoke-2#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/71/80

 

Lab. 15 DMVPN

MVPN Phase 1D

• Hub menggunakan mGRE tunnel

• Spokes menggunakan GRE tunnel

• Multicast & Unicast hanya terjadi antara HUB dan SPOKE

(antar spoke berkomunikasi melalui hub )

• Tidak membutuhkan command ip nhrp map multicast dynamic atau ip nhrp

map multicast x.x.x.x jika tidak menggukanakan routing protocol

DMVPN Phase 2

• Hub menggunakan mGRE tunnel

• Spoke menggukan mGRE tunnel

• Antar spoke saling berkomunikasi secara langsung/directly

DMVPN Phase 3

Sama seperti phase 2, namun menggunakan command “no next-hop-self eigrp”

• ip nhrp redirect di HUB

• ip nhrp shortcut di SPOK

Konfigurasi :

HUB

R1(config)#hostname HUB

R1(config)#int f0/0

R1(config-if)#ip address 12.12.12.1 255.255.255.0

R1(config-if)#no sh

R1(config-if)#ex

R1(config)#ip route 0.0.0.0 0.0.0.0 12.12.12.2 

SPOKE 1

Spoke-1#config t

Spoke-1(config)#hostname Spoke-1

Spoke-1(config)#int f0/0

Spoke-1(config-if)#ip add 23.23.23.1 255.255.255.0

Spoke-1(config-if)#no sh

Spoke-1(config-if)#ex

Spoke-1(config)#ip route 0.0.0.0 0.0.0.0 23.23.23.2

SPOKE 2

Spoke-2(config)#interface fa0/0

Spoke-2(config-if)#ip add 24.24.24.1 255.255.255.0

Spoke-2(config-if)#no sh

Spoke-2(config-if)#ex

Spoke-2(config)#ip route 0.0.0.0 0.0.0.0 24.24.24.2 

Internet

internet(config)#interface fa0/0

internet(config-if)#ip add 12.12.12.2 255.255.255.0

internet(config-if)#no sh

internet(config-if)#ex

internet(config)#interface fa1/0

internet(config-if)#ip add 23.23.23.2 255.255.255.0

internet(config-if)#no sh

internet(config-if)#ex

internet(config)#interface fa1/1

internet(config-if)#ip add 24.24.24.2 255.255.255.0

internet(config-if)#no sh

Kita cek ping 

R1

HUB#ping 23.23.23.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 23.23.23.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 45/61/73 ms 

Konfigurasi tunnel nya

HUB

HUB(config)#interface tunnel0

HUB(config-if)#ip address 192.168.10.1 255.255.255.0

HUB(config-if)#tunnel source 12.12.12.1

HUB(config-if)#tunnel mode gre multipoint

HUB(config-if)#ip nhrp network-id 1

HUB(config-if)#ip nhrp authentication IDN

HUB(config-if)#ex

SPOKE 1

Spoke-1(config)#int tunnel0

Spoke-1(config-if)#ip add 192.168.10.2 255.255.255.0

Spoke-1(config-if)#tunnel source 23.23.23.1

Spoke-1(config-if)#tunnel destination 12.12.12.1

Spoke-1(config-if)#ip nhrp network-id 1

Spoke-1(config-if)#ip nhrp authentication IDN

Spoke-1(config-if)#ip nhrp map 192.168.10.1 12.12.12.1

Spoke-1(config-if)#ip nhrp nhs 192.168.10.1

Spoke-1(config-if)#ex

SPOKE 2

Spoke-2(config)#int tunnel0

Spoke-2(config-if)#ip add 192.168.10.3 255.255.255.0

Spoke-2(config-if)#tunnel source 24.24.24.1

Spoke-2(config-if)#tunnel destination 12.12.12.1

Spoke-2(config-if)#ip nhrp network-id 1

Spoke-2(config-if)#ip nhrp authentication IDN

Spoke-2(config-if)#ip nhrp map 192.168.10.1 12.12.12.1

Spoke-2(config-if)#ip nhrp nhs 192.168.10.1

Spoke-2(config-if)#ex

Verifikasi

HUB

HUB#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

Interface: Tunnel0, IPv4 NHRP Details Type:Hub, NHRP Peers:2,

# Int Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 23.23.23.1............................. 192.168.10.2 UP 00:12:19 D

1 24.24.24.1                                192.168.10.3 UP 00:05:44 D 

Kita cek NHRP 

HUB

HUB#show ip nhrp

192.168.10.2/32 via 192.168.10.2 Tunnel0 created 00:12:36, expire

01:47:23 Type: dynamic, Flags: unique registered used

NBMA address: 23.23.23.1

192.168.10.3/32 via 192.168.10.3 Tunnel0 created 00:06:02, expire

01:53:57

Type: dynamic, Flags: unique registered used

NBMA address: 24.24.24.1 

Kita cek ping  antar tunnel

HUB

HUB#ping 192.168.10.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 26/54/78 ms

Lab. 14 IPSEC tunnel mode

 IPsec adalah sebuah protokol yang digunakan untuk mengamankan transmisi datagram dalam sebuah internetwork berbasis TCP/IP. IPsec mendefiniskan beberapa standar untuk melakukan enkripsi data dan juga integritas data pada lapisan kedua dalam DARPA Reference Model

R2 

R2(config)#no router eigrp 23

R2(config)#no interface tunnel23

R3

R3(config)#no interface tunnel32

R3(config)#no router eigrp 23

Konfig ISAKMP phase 1 dan 2

R2

R2(config)#crypto isakmp policy 1

R2(config-isakmp)#encryption aes

R2(config-isakmp)#hash sha

R2(config-isakmp)#authentication pre-share

R2(config-isakmp)#group 2

R2(config-isakmp)#crypto isakmp key 0 IDNJOS address 13.13.13.3 

R2(config)#crypto ipsec transform-set ROSLIANA esp-aes esp-sha-hmac

R2(config)#crypto map ROSLIANA12A 10 ipsec-isakmp

R2(config-crypto-map)#set peer 13.13.13.3

R2(config-crypto-map)#set transform-set ROSLIANA

R2(config-crypto-map)#match address 100

R2(config-crypto-map)#access-list 100 permit ip host 2.2.2.2 host 3.3.3.3 

R3

R3(config)#crypto isakmp policy 1

R3(config-isakmp)#encryption aes R3(config-isakmp)#hash sha

R3(config-isakmp)#authentication pre-share

R3(config-isakmp)#group 2

R3(config-isakmp)#crypto isakmp key 0 IDNJOS address 12.12.12.2

R3(config)#crypto ipsec transform-set ROSLIANA esp-aes esp-sha-hmac

R3(cfg-crypto-trans)#crypto map ROSLIANA12A 10 ipsec-isakmp

R3(config-crypto-map)#set peer 12.12.12.2

R3(config-crypto-map)#set transform-set ROSLIANA

R3(config-crypto-map)#match address 100

R3(config-crypto-map)#access-list 100 permit ip host 3.3.3.3 host 2.2.2.2 

Sekarang kita akan memasang static route dan crypto map di R2 dan R3

R2

R2(config)#ip route 3.3.3.3 255.255.255.255 13.13.13.3

R2(config)#int fa0/0

R2(config-if)#crypto map IDNSCHOOL

R3

R3(config)#ip route 2.2.2.2 255.255.255.255 12.12.12.2

R3(config)#int fa0/0

R3(config-if)#crypto map IDNSCHOOL

Selanjutnya kita harus pastikan session status sudah up

R2

R2(config)#do show crypto session

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 13.13.13.3 port 500

    IKE SA: local 12.12.12.2/500 remote 13.13.13.3/500 Active

    IPSEC FLOW: permit ip host 2.2.2.2 host 3.3.3.3

            Active SAs: 2, origin: crypto map 

R3

R3#show crypto session

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 12.12.12.2 port 500

    IKE SA: local 13.13.13.3/500 remote 12.12.12.2/500 Active

    IPSEC FLOW: permit ip host 3.3.3.3 host 2.2.2.2

        Active SAs: 2, origin: crypto map

R3

R3#show crypto ipsec sa

interface: FastEthernet0/0

    Crypto map tag: ROSLIANA12A, local addr 13.13.13.3

    protected vrf: (none)

   local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)

            remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)

current_peer 12.12.12.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 5, #recv errors 0

    local crypto endpt.: 13.13.13.3, remote crypto endpt.: 12.12.12.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 

    PFS (Y/N): N, DH group: none

    inbound esp sas:

    spi: 0x7CAFE9D5(2091903445)

    transform: esp-aes esp-sha-hmac ,

    in use settings ={Tunnel, }

        conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map:

ROSLIANA12A

    sa timing: remaining key lifetime (k/sec): (4593143/1916)

    IV size: 16 bytes

    replay detection support: Y

    Status: ACTIVE

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:

    spi: 0x4F0F0D33(1326386483)

    transform: esp-aes esp-sha-hmac ,

    in use settings ={Tunnel, }

    conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map:

ROSLIANA12A

    sa timing: remaining key lifetime (k/sec): (4593141/1916)

    IV size: 16 bytes

    replay detection support: Y

    Status: ACTIVE

    outbound ah sas:

    outbound pcp sas:

Kita cek ping 

R2

R2(config)#do ping 3.3.3.3 source 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 45/62/52 ms