diff --git a/docs/_static/images/PA-ESP-group.png b/docs/_static/images/PA-ESP-group.png new file mode 100644 index 00000000..c6411b66 Binary files /dev/null and b/docs/_static/images/PA-ESP-group.png differ diff --git a/docs/_static/images/PA-IKE-GW-1.png b/docs/_static/images/PA-IKE-GW-1.png new file mode 100644 index 00000000..863eeb3a Binary files /dev/null and b/docs/_static/images/PA-IKE-GW-1.png differ diff --git a/docs/_static/images/PA-IKE-GW-2.png b/docs/_static/images/PA-IKE-GW-2.png new file mode 100644 index 00000000..21a16055 Binary files /dev/null and b/docs/_static/images/PA-IKE-GW-2.png differ diff --git a/docs/_static/images/PA-IKE-group.png b/docs/_static/images/PA-IKE-group.png new file mode 100644 index 00000000..06fd535d Binary files /dev/null and b/docs/_static/images/PA-IKE-group.png differ diff --git a/docs/_static/images/PA-IPsec-tunnel.png b/docs/_static/images/PA-IPsec-tunnel.png new file mode 100644 index 00000000..2f8f4cb8 Binary files /dev/null and b/docs/_static/images/PA-IPsec-tunnel.png differ diff --git a/docs/_static/images/PA-tunnel-1.png b/docs/_static/images/PA-tunnel-1.png new file mode 100644 index 00000000..3c99c6c7 Binary files /dev/null and b/docs/_static/images/PA-tunnel-1.png differ diff --git a/docs/_static/images/PA-tunnel-2.png b/docs/_static/images/PA-tunnel-2.png new file mode 100644 index 00000000..6f073513 Binary files /dev/null and b/docs/_static/images/PA-tunnel-2.png differ diff --git a/docs/_static/images/PA-tunnel-3.png b/docs/_static/images/PA-tunnel-3.png new file mode 100644 index 00000000..ca5a94e9 Binary files /dev/null and b/docs/_static/images/PA-tunnel-3.png differ diff --git a/docs/_static/images/cisco-vpn-ipsec.png b/docs/_static/images/cisco-vpn-ipsec.png new file mode 100644 index 00000000..bc19e8bc Binary files /dev/null and b/docs/_static/images/cisco-vpn-ipsec.png differ diff --git a/docs/_static/images/ipsec-vyos-pa.png b/docs/_static/images/ipsec-vyos-pa.png new file mode 100644 index 00000000..0929bcc7 Binary files /dev/null and b/docs/_static/images/ipsec-vyos-pa.png differ diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index c2575321..0b585972 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -22,6 +22,9 @@ This chapter contains various configuration examples: qos segment-routing-isis nmp + ipsec-cisco-policy-based + ipsec-cisco-route-based + ipsec-pa-route-based Configuration Blueprints (autotest) diff --git a/docs/configexamples/ipsec-cisco-policy-based.rst b/docs/configexamples/ipsec-cisco-policy-based.rst new file mode 100644 index 00000000..787c1140 --- /dev/null +++ b/docs/configexamples/ipsec-cisco-policy-based.rst @@ -0,0 +1,355 @@ +:lastproofread: 2025-06-26 + +.. _examples-ipsec-cisco-policy-based: + +########################################################## +Policy-based Site-to-Site VPN IPsec between VyOS and Cisco +########################################################## + +This document is to describe a basic setup using policy-based +site-to-site VPN IPsec. In this example we use VyOS 1.5 and +Cisco IOS. Cisco initiates IPsec connection only if interesting +traffic present. For stable work we recommend configuring an +initiator role on VyOS side. + +Network Topology +================ + +.. image:: /_static/images/cisco-vpn-ipsec.png + :align: center + :alt: Network Topology Diagram + +Prerequirements +=============== + +**VyOS:** + ++---------+----------------+ +| WAN IP | 10.0.1.2/30 | ++---------+----------------+ +| LAN1 IP | 192.168.0.1/24 | ++---------+----------------+ +| LAN2 IP | 192.168.1.1/24 | ++---------+----------------+ + +**Cisco:** + ++---------+-----------------+ +| WAN IP | 10.0.2.2/30 | ++---------+-----------------+ +| LAN1 IP | 192.168.10.1/24 | ++---------+-----------------+ +| LAN2 IP | 192.168.11.1/24 | ++---------+-----------------+ + +**IKE parameters:** + ++-------------------+---------+ +| Encryption | AES-256 | ++-------------------+---------+ +| HASH | SHA-1 | ++-------------------+---------+ +| Diff-Helman Group | 14 | ++-------------------+---------+ +| Life-Time | 28800 | ++-------------------+---------+ +| IKE Version | 2 | ++-------------------+---------+ + +**IPsec parameters:** + ++------------+---------+ +| Encryption | AES-256 | ++------------+---------+ +| HASH | SHA-256 | ++------------+---------+ +| Life-Time | 3600 | ++------------+---------+ +| PFS | disable | ++------------+---------+ + +**Traffic Selectors** + 192.168.0.0/24 <==> 192.168.10.0/24 + + 192.168.1.0/24 <==> 192.168.11.0/24 + +**Hosts configuration** + ++--------+--------------+ +| PC1 IP | 192.168.0.2 | ++--------+--------------+ +| PC2 IP | 192.168.1.2 | ++--------+--------------+ +| PC3 IP | 192.168.10.2 | ++--------+--------------+ +| PC4 IP | 192.168.11.2 | ++--------+--------------+ + +Configuration +============= + +.. note:: Pfs is disabled in Cisco by default. + +VyOS +---- + +.. code-block:: none + + set interfaces ethernet eth0 address '10.0.1.2/30' + set interfaces ethernet eth1 address '192.168.0.1/24' + set interfaces ethernet eth2 address '192.168.1.1/24' + set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 + set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' + set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' + set vpn ipsec authentication psk AUTH-PSK secret 'dGVzdA==' + set vpn ipsec authentication psk AUTH-PSK secret-type 'base64' + set vpn ipsec esp-group ESP-GROUP lifetime '3600' + set vpn ipsec esp-group ESP-GROUP pfs 'disable' + set vpn ipsec esp-group ESP-GROUP proposal 10 encryption 'aes256' + set vpn ipsec esp-group ESP-GROUP proposal 10 hash 'sha256' + set vpn ipsec ike-group IKE-GROUP close-action 'start' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '10' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2' + set vpn ipsec ike-group IKE-GROUP lifetime '28800' + set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256' + set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' + set vpn ipsec site-to-site peer CISCO authentication local-id '10.0.1.2' + set vpn ipsec site-to-site peer CISCO authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer CISCO authentication remote-id '10.0.2.2' + set vpn ipsec site-to-site peer CISCO connection-type 'initiate' + set vpn ipsec site-to-site peer CISCO default-esp-group 'ESP-GROUP' + set vpn ipsec site-to-site peer CISCO ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer CISCO local-address '10.0.1.2' + set vpn ipsec site-to-site peer CISCO remote-address '10.0.2.2' + set vpn ipsec site-to-site peer CISCO tunnel 1 local prefix '192.168.0.0/24' + set vpn ipsec site-to-site peer CISCO tunnel 1 remote prefix '192.168.10.0/24' + set vpn ipsec site-to-site peer CISCO tunnel 2 local prefix '192.168.1.0/24' + set vpn ipsec site-to-site peer CISCO tunnel 2 remote prefix '192.168.11.0/24' + +Cisco +----- + +.. code-block:: none + + crypto ikev2 proposal aes-cbc-256-proposal + encryption aes-cbc-256 + integrity sha1 + group 14 + ! + crypto ikev2 policy policy1 + match address local 10.0.2.2 + proposal aes-cbc-256-proposal + ! + crypto ikev2 keyring keys + peer VyOS + address 10.0.1.2 + pre-shared-key local test + pre-shared-key remote test + ! + crypto ikev2 profile IKEv2-profile + match identity remote address 10.0.1.2 255.255.255.255 + authentication remote pre-share + authentication local pre-share + keyring local keys + lifetime 28800 + ! + crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac + mode tunnel + ! + crypto map IPSEC-map 10 ipsec-isakmp + set peer 10.0.1.2 + set security-association lifetime seconds 3600 + set transform-set TS + set ikev2-profile IKEv2-profile + match address cryptoacl + ! + interface GigabitEthernet0/0 + ip address 10.0.2.2 255.255.255.252 + crypto map IPSEC-map + ! + interface GigabitEthernet0/1 + ip address 192.168.10.1 255.255.255.0 + ! + interface GigabitEthernet0/2 + ip address 192.168.11.1 255.255.255.0 + ! + ip route 0.0.0.0 0.0.0.0 10.0.2.1 + ! + ip access-list extended cryptoacl + permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255 + permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255 + + + +Monitoring +========== + +Monitoring on VyOS side +----------------------- + +IKE SAs: + +.. code-block:: none + + vyos@vyos:~$ show vpn ike sa + Peer ID / IP Local ID / IP + ------------ ------------- + 10.0.2.2 10.0.2.2 10.0.1.2 10.0.1.2 + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ + up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 304 26528 + +IPsec SAs: + +.. code-block:: none + + vyos@vyos:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + -------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------- + CISCO-tunnel-1 up 6m6s 0B/0B 0/0 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128 + CISCO-tunnel-2 up 6m6s 0B/0B 0/0 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128 + +Monitoring on Cisco side +------------------------ + +IKE SAs: + +.. code-block:: none + + Cisco#show crypto ikev2 sa + IPv4 Crypto IKEv2 SA + + Tunnel-id Local Remote fvrf/ivrf Status + 1 10.0.2.2/4500 10.0.1.2/4500 none/none READY + Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK + Life/Active Time: 28800/471 sec + + IPv6 Crypto IKEv2 SA + + +IPsec SAs: + +.. code-block:: none + + Cisco#show crypto ipsec sa + + interface: GigabitEthernet0/0 + Crypto map tag: IPSEC-map, local addr 10.0.2.2 + + protected vrf: (none) + local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0) + remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) + current_peer 10.0.1.2 port 4500 + PERMIT, flags={origin_is_acl,} + #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 + #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 + #pkts compressed: 0, #pkts decompressed: 0 + #pkts not compressed: 0, #pkts compr. failed: 0 + #pkts not decompressed: 0, #pkts decompress failed: 0 + #send errors 0, #recv errors 0 + + local crypto endpt.: 10.0.2.2, remote crypto endpt.: 10.0.1.2 + plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 + current outbound spi: 0xC81F83DA(3357508570) + PFS (Y/N): N, DH group: none + + inbound esp sas: + spi: 0x8C63C51E(2355348766) + transform: esp-256-aes esp-sha256-hmac , + in use settings ={Tunnel, } + conn id: 23, flow_id: SW:23, sibling_flags 80000040, crypto map: IPSEC-map + sa timing: remaining key lifetime (k/sec): (4231729/3585) + IV size: 16 bytes + replay detection support: Y + Status: ACTIVE(ACTIVE) + + inbound ah sas: + + inbound pcp sas: + + outbound esp sas: + spi: 0xC81F83DA(3357508570) + transform: esp-256-aes esp-sha256-hmac , + in use settings ={Tunnel, } + conn id: 24, flow_id: SW:24, sibling_flags 80000040, crypto map: IPSEC-map + sa timing: remaining key lifetime (k/sec): (4231729/3585) + IV size: 16 bytes + replay detection support: Y + Status: ACTIVE(ACTIVE) + + outbound ah sas: + + outbound pcp sas: + + protected vrf: (none) + local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) + remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) + current_peer 10.0.1.2 port 4500 + PERMIT, flags={origin_is_acl,} + #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 + #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 + #pkts compressed: 0, #pkts decompressed: 0 + #pkts not compressed: 0, #pkts compr. failed: 0 + #pkts not decompressed: 0, #pkts decompress failed: 0 + #send errors 0, #recv errors 0 + + local crypto endpt.: 10.0.2.2, remote crypto endpt.: 10.0.1.2 + plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 + current outbound spi: 0xC40C7A20(3289152032) + PFS (Y/N): N, DH group: none + + inbound esp sas: + spi: 0x2948B6CB(692631243) + transform: esp-256-aes esp-sha256-hmac , + in use settings ={Tunnel, } + conn id: 21, flow_id: SW:21, sibling_flags 80000040, crypto map: IPSEC-map + sa timing: remaining key lifetime (k/sec): (4194891/3581) + IV size: 16 bytes + replay detection support: Y + Status: ACTIVE(ACTIVE) + + inbound ah sas: + + inbound pcp sas: + + outbound esp sas: + spi: 0xC40C7A20(3289152032) + transform: esp-256-aes esp-sha256-hmac , + in use settings ={Tunnel, } + conn id: 22, flow_id: SW:22, sibling_flags 80000040, crypto map: IPSEC-map + sa timing: remaining key lifetime (k/sec): (4194891/3581) + IV size: 16 bytes + replay detection support: Y + Status: ACTIVE(ACTIVE) + + outbound ah sas: + + outbound pcp sas: + +Checking Connectivity +--------------------- + +ICMP packets from PC1 to PC3. + +.. code-block:: none + + PC1> ping 192.168.10.2 + + 84 bytes from 192.168.10.2 icmp_seq=1 ttl=62 time=8.479 ms + 84 bytes from 192.168.10.2 icmp_seq=2 ttl=62 time=3.344 ms + 84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=3.139 ms + 84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=3.176 ms + 84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=3.978 ms + +ICMP packets from PC2 to PC4. + +.. code-block:: none + + PC2> ping 192.168.11.2 + + 84 bytes from 192.168.11.2 icmp_seq=1 ttl=62 time=9.687 ms + 84 bytes from 192.168.11.2 icmp_seq=2 ttl=62 time=3.286 ms + 84 bytes from 192.168.11.2 icmp_seq=3 ttl=62 time=2.972 ms diff --git a/docs/configexamples/ipsec-cisco-route-based.rst b/docs/configexamples/ipsec-cisco-route-based.rst new file mode 100644 index 00000000..f7c3cb08 --- /dev/null +++ b/docs/configexamples/ipsec-cisco-route-based.rst @@ -0,0 +1,405 @@ +:lastproofread: 2025-06-26 + +.. _examples-ipsec-cisco-route-based: + +######################################################### +Route-based Site-to-Site VPN IPsec between VyOS and Cisco +######################################################### + +This document is to describe a basic setup using route-based +site-to-site VPN IPsec. In this example we use VyOS 1.5 and +Cisco IOS. Cisco initiates IPsec connection only if interesting +traffic present. For stable work we recommend configuring an +initiator role on VyOS side. OSPF is selected as routing protocol +inside the tunnel. + +Network Topology +================ + +.. image:: /_static/images/cisco-vpn-ipsec.png + :align: center + :alt: Network Topology Diagram + +Prerequirements +=============== + +**VyOS:** + ++---------+----------------+ +| WAN IP | 10.0.1.2/30 | ++---------+----------------+ +| LAN1 IP | 192.168.0.1/24 | ++---------+----------------+ +| LAN2 IP | 192.168.1.1/24 | ++---------+----------------+ + +**Cisco:** + ++---------+-----------------+ +| WAN IP | 10.0.2.2/30 | ++---------+-----------------+ +| LAN1 IP | 192.168.10.1/24 | ++---------+-----------------+ +| LAN2 IP | 192.168.11.1/24 | ++---------+-----------------+ + +**IKE parameters:** + ++-------------------+---------+ +| Encryption | AES-128 | ++-------------------+---------+ +| HASH | SHA-1 | ++-------------------+---------+ +| Diff-Helman Group | 14 | ++-------------------+---------+ +| Life-Time | 28800 | ++-------------------+---------+ +| IKE Version | 1 | ++-------------------+---------+ + +**IPsec parameters:** + ++------------+---------+ +| Encryption | AES-256 | ++------------+---------+ +| HASH | SHA-256 | ++------------+---------+ +| Life-Time | 3600 | ++------------+---------+ +| PFS | disable | ++------------+---------+ + +**Hosts configuration** + ++--------+--------------+ +| PC1 IP | 192.168.0.2 | ++--------+--------------+ +| PC2 IP | 192.168.1.2 | ++--------+--------------+ +| PC3 IP | 192.168.10.2 | ++--------+--------------+ +| PC4 IP | 192.168.11.2 | ++--------+--------------+ + +Configuration +============= + +.. note:: Pfs is disabled in Cisco by default. + +VyOS +---- + +.. code-block:: none + + set interfaces ethernet eth0 address '10.0.1.2/30' + set interfaces ethernet eth1 address '192.168.0.1/24' + set interfaces ethernet eth2 address '192.168.1.1/24' + set interfaces vti vti1 address '10.100.100.1/30' + set interfaces vti vti1 mtu '1438' + set protocols ospf area 0 network '10.100.100.0/30' + set protocols ospf area 0 network '192.168.0.0/24' + set protocols ospf area 0 network '192.168.1.0/24' + set protocols ospf interface eth1 passive + set protocols ospf interface eth2 passive + set protocols ospf interface vti1 network 'point-to-point' + set protocols ospf parameters router-id '2.2.2.2' + set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 + set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' + set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' + set vpn ipsec authentication psk AUTH-PSK secret 'dGVzdA==' + set vpn ipsec authentication psk AUTH-PSK secret-type 'base64' + set vpn ipsec esp-group ESP-GROUP lifetime '3600' + set vpn ipsec esp-group ESP-GROUP pfs 'disable' + set vpn ipsec esp-group ESP-GROUP proposal 10 encryption 'aes256' + set vpn ipsec esp-group ESP-GROUP proposal 10 hash 'sha256' + set vpn ipsec ike-group IKE-GROUP close-action 'start' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '10' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '30' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1' + set vpn ipsec ike-group IKE-GROUP lifetime '28800' + set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes128' + set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' + set vpn ipsec options disable-route-autoinstall + set vpn ipsec site-to-site peer CISCO authentication local-id '10.0.1.2' + set vpn ipsec site-to-site peer CISCO authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer CISCO authentication remote-id '10.0.2.2' + set vpn ipsec site-to-site peer CISCO connection-type 'initiate' + set vpn ipsec site-to-site peer CISCO default-esp-group 'ESP-GROUP' + set vpn ipsec site-to-site peer CISCO ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer CISCO local-address '10.0.1.2' + set vpn ipsec site-to-site peer CISCO remote-address '10.0.2.2' + set vpn ipsec site-to-site peer CISCO vti bind 'vti1' + +Cisco +----- + +.. code-block:: none + + crypto isakmp policy 10 + encr aes + authentication pre-share + group 14 + lifetime 28800 + crypto isakmp key test address 10.0.1.2 + ! + ! + crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac + mode transport + ! + crypto ipsec profile IPsec-profile + set transform-set TS + ! + ! + ! + ! + ! + ! + ! + interface Loopback0 + ip address 1.1.1.1 255.255.255.255 + ! + interface Tunnel10 + ip address 10.100.100.2 255.255.255.252 + ip ospf network point-to-point + tunnel source GigabitEthernet0/0 + tunnel mode ipsec ipv4 + tunnel destination 10.0.1.2 + tunnel protection ipsec profile IPsec-profile + ! + interface GigabitEthernet0/0 + ip address 10.0.2.2 255.255.255.252 + duplex auto + speed auto + media-type rj45 + ! + interface GigabitEthernet0/1 + ip address 192.168.10.1 255.255.255.0 + duplex auto + speed auto + media-type rj45 + ! + interface GigabitEthernet0/2 + ip address 192.168.11.1 255.255.255.0 + duplex auto + speed auto + media-type rj45 + ! + router ospf 1 + router-id 1.1.1.1 + passive-interface GigabitEthernet0/1 + passive-interface GigabitEthernet0/2 + network 10.100.100.0 0.0.0.3 area 0 + network 192.168.10.0 0.0.0.255 area 0 + network 192.168.11.0 0.0.0.255 area 0 + ! + ip route 0.0.0.0 0.0.0.0 10.0.2.1 + + + +Monitoring +========== + +Monitoring on VyOS side +----------------------- + +IKE SAs: + +.. code-block:: none + + vyos@vyos:~$ show vpn ike sa + Peer ID / IP Local ID / IP + ------------ ------------- + 10.0.2.2 10.0.2.2 10.0.1.2 10.0.1.2 + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ + up IKEv1 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 8175 18439 + + + +IPsec SAs: + +.. code-block:: none + + vyos@vyos:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + ------------ ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------- + CISCO-vti up 34m59s 17K/14K 224/213 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128 + +OSPF Neighbor Status: + +.. code-block:: none + + vyos@vyos:~$ show ip ospf neighbor + + Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL + 1.1.1.1 1 Full/- 1h29m37s 39.317s 10.100.100.2 vti1:10.100.100.1 0 0 0 + +Routing Table: + +.. code-block:: none + + vyos@vyos:~$ show ip route + Codes: K - kernel route, C - connected, L - local, S - static, + R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, t - Table-Direct, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + + S>* 0.0.0.0/0 [1/0] via 10.0.1.1, eth0, weight 1, 00:07:54 + C>* 10.0.1.0/30 is directly connected, eth0, weight 1, 00:07:59 + L>* 10.0.1.2/32 is directly connected, eth0, weight 1, 00:07:59 + O 10.100.100.0/30 [110/1] is directly connected, vti1, weight 1, 00:07:50 + C>* 10.100.100.0/30 is directly connected, vti1, weight 1, 00:07:50 + L>* 10.100.100.1/32 is directly connected, vti1, weight 1, 00:07:50 + O 192.168.0.0/24 [110/1] is directly connected, eth1, weight 1, 00:07:54 + C>* 192.168.0.0/24 is directly connected, eth1, weight 1, 00:07:59 + L>* 192.168.0.1/32 is directly connected, eth1, weight 1, 00:07:59 + O 192.168.1.0/24 [110/1] is directly connected, eth2, weight 1, 00:07:54 + C>* 192.168.1.0/24 is directly connected, eth2, weight 1, 00:07:59 + L>* 192.168.1.1/32 is directly connected, eth2, weight 1, 00:07:59 + O>* 192.168.10.0/24 [110/2] via 10.100.100.2, vti1, weight 1, 00:07:34 + O>* 192.168.11.0/24 [110/2] via 10.100.100.2, vti1, weight 1, 00:07:34 + +Monitoring on Cisco side +------------------------ + +IKE SAs: + +.. code-block:: none + + Cisco#show crypto isakmp sa + IPv4 Crypto ISAKMP SA + dst src state conn-id status + 10.0.1.2 10.0.2.2 QM_IDLE 1002 ACTIVE + + IPv6 Crypto ISAKMP SA + + + +IPsec SAs: + +.. code-block:: none + + Cisco#show crypto ipsec sa + + interface: Tunnel10 + Crypto map tag: Tunnel10-head-0, local addr 10.0.2.2 + + protected vrf: (none) + local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) + remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) + current_peer 10.0.1.2 port 500 + PERMIT, flags={origin_is_acl,} + #pkts encaps: 1295, #pkts encrypt: 1295, #pkts digest: 1295 + #pkts decaps: 1238, #pkts decrypt: 1238, #pkts verify: 1238 + #pkts compressed: 0, #pkts decompressed: 0 + #pkts not compressed: 0, #pkts compr. failed: 0 + #pkts not decompressed: 0, #pkts decompress failed: 0 + #send errors 0, #recv errors 0 + + local crypto endpt.: 10.0.2.2, remote crypto endpt.: 10.0.1.2 + plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 + current outbound spi: 0xC3E9B307(3286872839) + PFS (Y/N): N, DH group: none + + inbound esp sas: + spi: 0x2740C328(658555688) + transform: esp-256-aes esp-sha256-hmac , + in use settings ={Tunnel, } + conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: Tunnel10-head-0 + sa timing: remaining key lifetime (k/sec): (4173824/1401) + IV size: 16 bytes + replay detection support: Y + Status: ACTIVE(ACTIVE) + + inbound ah sas: + + inbound pcp sas: + + outbound esp sas: + spi: 0xC3E9B307(3286872839) + transform: esp-256-aes esp-sha256-hmac , + in use settings ={Tunnel, } + conn id: 8, flow_id: SW:8, sibling_flags 80000040, crypto map: Tunnel10-head-0 + sa timing: remaining key lifetime (k/sec): (4173819/1401) + IV size: 16 bytes + replay detection support: Y + Status: ACTIVE(ACTIVE) + + outbound ah sas: + + outbound pcp sas: + +OSPF Neighbor Status: + +.. code-block:: none + + Cisco# show ip ospf neighbor + + Neighbor ID Pri State Dead Time Address Interface + 2.2.2.2 0 FULL/ - 00:00:35 10.100.100.1 Tunnel10 + +Routing Table: + +.. code-block:: none + + Cisco#show ip route + Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP + D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area + N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 + E1 - OSPF external type 1, E2 - OSPF external type 2 + i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 + ia - IS-IS inter area, * - candidate default, U - per-user static route + o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + a - application route + + - replicated route, % - next hop override, p - overrides from PfR + + Gateway of last resort is 10.0.2.1 to network 0.0.0.0 + + S* 0.0.0.0/0 [1/0] via 10.0.2.1 + 1.0.0.0/32 is subnetted, 1 subnets + C 1.1.1.1 is directly connected, Loopback0 + 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks + C 10.0.2.0/30 is directly connected, GigabitEthernet0/0 + L 10.0.2.2/32 is directly connected, GigabitEthernet0/0 + C 10.100.100.0/30 is directly connected, Tunnel10 + L 10.100.100.2/32 is directly connected, Tunnel10 + O 192.168.0.0/24 [110/1001] via 10.100.100.1, 00:09:36, Tunnel10 + O 192.168.1.0/24 [110/1001] via 10.100.100.1, 00:09:36, Tunnel10 + 192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks + C 192.168.10.0/24 is directly connected, GigabitEthernet0/1 + L 192.168.10.1/32 is directly connected, GigabitEthernet0/1 + 192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks + C 192.168.11.0/24 is directly connected, GigabitEthernet0/2 + L 192.168.11.1/32 is directly connected, GigabitEthernet0/2 + + +Checking Connectivity +--------------------- + +ICMP packets from PC1 to PC3. + +.. code-block:: none + + PC1> ping 192.168.10.2 + + 84 bytes from 192.168.10.2 icmp_seq=1 ttl=62 time=8.479 ms + 84 bytes from 192.168.10.2 icmp_seq=2 ttl=62 time=3.344 ms + 84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=3.139 ms + 84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=3.176 ms + 84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=3.978 ms + +ICMP packets from PC2 to PC4. + +.. code-block:: none + + PC2> ping 192.168.11.2 + + 84 bytes from 192.168.11.2 icmp_seq=1 ttl=62 time=9.687 ms + 84 bytes from 192.168.11.2 icmp_seq=2 ttl=62 time=3.286 ms + 84 bytes from 192.168.11.2 icmp_seq=3 ttl=62 time=2.972 ms diff --git a/docs/configexamples/ipsec-pa-route-based.rst b/docs/configexamples/ipsec-pa-route-based.rst new file mode 100644 index 00000000..b6f6f3a7 --- /dev/null +++ b/docs/configexamples/ipsec-pa-route-based.rst @@ -0,0 +1,420 @@ +:lastproofread: 2025-06-26 + +.. _examples-ipsec-pa-route-based: + +############################################################# +Route-based Site-to-Site VPN IPsec between VyOS and Palo Alto +############################################################# + +This document is to describe a basic setup using route-based +site-to-site VPN IPsec. In this example we use VyOS 1.5 and +PA 11.0.0. OSPF is selected as routing protocol inside the +tunnel. + +Since this example focuses on IPsec configuration it does not +include firewall configuration. + +Network Topology +================ + +.. image:: /_static/images/ipsec-vyos-pa.png + :align: center + :alt: Network Topology Diagram + +Prerequirements +=============== + +**VyOS:** + ++---------+----------------+ +| WAN IP | 10.0.1.2/30 | ++---------+----------------+ +| LAN1 IP | 192.168.0.1/24 | ++---------+----------------+ +| LAN2 IP | 192.168.1.1/24 | ++---------+----------------+ + +**Cisco:** + ++---------+-----------------+ +| WAN IP | 10.0.2.2/30 | ++---------+-----------------+ +| LAN1 IP | 192.168.10.1/24 | ++---------+-----------------+ +| LAN2 IP | 192.168.11.1/24 | ++---------+-----------------+ + +**IKE parameters:** + ++-------------------+---------+ +| Encryption | AES-128 | ++-------------------+---------+ +| HASH | SHA-1 | ++-------------------+---------+ +| Diff-Helman Group | 14 | ++-------------------+---------+ +| Life-Time | 28800 | ++-------------------+---------+ +| IKE Version | 1 | ++-------------------+---------+ + +**IPsec parameters:** + ++------------+---------+ +| Encryption | AES-256 | ++------------+---------+ +| HASH | SHA-256 | ++------------+---------+ +| Life-Time | 3600 | ++------------+---------+ +| PFS | disable | ++------------+---------+ + +**Hosts configuration** + ++--------+--------------+ +| PC1 IP | 192.168.0.2 | ++--------+--------------+ +| PC2 IP | 192.168.1.2 | ++--------+--------------+ +| PC3 IP | 192.168.10.2 | ++--------+--------------+ +| PC4 IP | 192.168.11.2 | ++--------+--------------+ + +Configuration +============= + +VyOS +---- + +.. code-block:: none + + set interfaces ethernet eth0 address '10.0.1.2/30' + set interfaces ethernet eth1 address '192.168.0.1/24' + set interfaces ethernet eth2 address '192.168.1.1/24' + set interfaces vti vti1 address '10.100.100.1/30' + set interfaces vti vti1 mtu '1438' + set protocols ospf area 0 network '10.100.100.0/30' + set protocols ospf area 0 network '192.168.0.0/24' + set protocols ospf area 0 network '192.168.1.0/24' + set protocols ospf interface eth1 passive + set protocols ospf interface eth2 passive + set protocols ospf interface vti1 network 'point-to-point' + set protocols ospf parameters router-id '2.2.2.2' + set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 + set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2' + set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2' + set vpn ipsec authentication psk AUTH-PSK secret 'dGVzdA==' + set vpn ipsec authentication psk AUTH-PSK secret-type 'base64' + set vpn ipsec esp-group ESP-GROUP lifetime '3600' + set vpn ipsec esp-group ESP-GROUP pfs 'disable' + set vpn ipsec esp-group ESP-GROUP proposal 10 encryption 'aes256' + set vpn ipsec esp-group ESP-GROUP proposal 10 hash 'sha256' + set vpn ipsec ike-group IKE-GROUP close-action 'start' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '10' + set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '30' + set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1' + set vpn ipsec ike-group IKE-GROUP lifetime '28800' + set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14' + set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes128' + set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1' + set vpn ipsec options disable-route-autoinstall + set vpn ipsec site-to-site peer CISCO authentication local-id '10.0.1.2' + set vpn ipsec site-to-site peer CISCO authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer CISCO authentication remote-id '10.0.2.2' + set vpn ipsec site-to-site peer CISCO connection-type 'initiate' + set vpn ipsec site-to-site peer CISCO default-esp-group 'ESP-GROUP' + set vpn ipsec site-to-site peer CISCO ike-group 'IKE-GROUP' + set vpn ipsec site-to-site peer CISCO local-address '10.0.1.2' + set vpn ipsec site-to-site peer CISCO remote-address '10.0.2.2' + set vpn ipsec site-to-site peer CISCO vti bind 'vti1' + +Palo Alto +--------- + +GUI Configuration: + Network -> Network Profiles -> IKE Crypto + + .. image:: /_static/images/PA-IKE-group.png + :align: center + + Network -> Network Profiles -> IKE Gateways + + .. image:: /_static/images/PA-IKE-GW-1.png + :align: center + + .. image:: /_static/images/PA-IKE-GW-2.png + :align: center + + Network -> Network Profiles -> IPSec Crypto + + .. image:: /_static/images/PA-ESP-group.png + :align: center + + Network -> Interfaces + + .. image:: /_static/images/PA-tunnel-1.png + :align: center + + .. image:: /_static/images/PA-tunnel-2.png + :align: center + + .. image:: /_static/images/PA-tunnel-3.png + :align: center + + Network -> IPSec Tunnels + + .. image:: /_static/images/PA-IPsec-tunnel.png + :align: center + +CLI configuration with OSPF: + +.. code-block:: none + + set network interface ethernet ethernet1/1 layer3 ip 10.0.2.2/30 + set network interface ethernet ethernet1/1 layer3 interface-management-profile Allow + set network interface ethernet ethernet1/2 layer3 ip 192.168.10.1/24 + set network interface ethernet ethernet1/1 layer3 interface-management-profile Allow + set network interface ethernet ethernet1/3 layer3 ip 192.168.11.1/24 + set network interface ethernet ethernet1/1 layer3 interface-management-profile Allow + set network interface tunnel units tunnel.1 ip 10.100.100.2/30 + set network interface tunnel units tunnel.1 interface-management-profile Allow + set network interface tunnel units tunnel.1 mtu 1438 + set network profiles interface-management-profile Allow ping yes + set network ike crypto-profiles ike-crypto-profiles IKE-GROUP hash sha1 + set network ike crypto-profiles ike-crypto-profiles IKE-GROUP dh-group group14 + set network ike crypto-profiles ike-crypto-profiles IKE-GROUP encryption aes-128-cbc + set network ike crypto-profiles ike-crypto-profiles IKE-GROUP lifetime seconds 28800 + set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP esp authentication sha256 + set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP esp encryption aes-256-cbc + set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP lifetime seconds 3600 + set network ike crypto-profiles ipsec-crypto-profiles ESP-GROUP dh-group no-pfs + set network ike gateway VyOS authentication pre-shared-key key test + set network ike gateway VyOS protocol ikev1 dpd enable yes + set network ike gateway VyOS protocol ikev1 exchange-mode main + set network ike gateway VyOS protocol ikev1 ike-crypto-profile IKE-GROUP + set network ike gateway VyOS protocol ikev2 dpd enable yes + set network ike gateway VyOS protocol version ikev1 + set network ike gateway VyOS protocol-common nat-traversal enable yes + set network ike gateway VyOS protocol-common fragmentation enable no + set network ike gateway VyOS protocol-common passive-mode yes + set network ike gateway VyOS local-address interface ethernet1/1 + set network ike gateway VyOS peer-address ip 10.0.1.2 + set network ike gateway VyOS local-id id 10.0.2.2 + set network ike gateway VyOS local-id type ipaddr + set network ike gateway VyOS peer-id id 10.0.1.2 + set network ike gateway VyOS peer-id type ipaddr + set network tunnel ipsec VyOS-tunnel auto-key ike-gateway VyOS + set network tunnel ipsec VyOS-tunnel auto-key ipsec-crypto-profile ESP-GROUP + set network tunnel ipsec VyOS-tunnel tunnel-monitor enable no + set network tunnel ipsec VyOS-tunnel tunnel-interface tunnel.1 + set network tunnel ipsec VyOS-tunnel anti-replay no + set network virtual-router default protocol ospf enable yes + set network virtual-router default protocol ospf area 0.0.0.0 type normal + set network virtual-router default protocol ospf area 0.0.0.0 interface tunnel.1 enable yes + set network virtual-router default protocol ospf area 0.0.0.0 interface tunnel.1 passive no + set network virtual-router default protocol ospf area 0.0.0.0 interface tunnel.1 link-type p2p + set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/2 enable yes + set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/2 passive yes + set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/2 link-type broadcast + set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 enable yes + set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 passive yes + set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 link-type broadcast + set network virtual-router default protocol ospf router-id 1.1.1.1 + set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 tunnel.1 ] + + +Monitoring +========== + +Monitoring on VyOS side +----------------------- + +IKE SAs: + +.. code-block:: none + + vyos@vyos:~$ show vpn ike sa + Peer ID / IP Local ID / IP + ------------ ------------- + 10.0.2.2 10.0.2.2 10.0.1.2 10.0.1.2 + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ + up IKEv1 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 1372 25802 + + + + +IPsec SAs: + +.. code-block:: none + + vyos@vyos:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + ------------ ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------- + PA-vti up 23m27s 9K/10K 149/151 10.0.2.2 10.0.2.2 AES_CBC_256/HMAC_SHA2_256_128 + + +OSPF Neighbor Status: + +.. code-block:: none + + vyos@vyos:~$ show ip ospf neighbor + + Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL + 1.1.1.1 1 Full/- 23m56s 37.948s 10.100.100.2 vti1:10.100.100.1 0 0 0 + + +Routing Table: + +.. code-block:: none + + vyos@vyos:~$ show ip route + Codes: K - kernel route, C - connected, L - local, S - static, + R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, t - Table-Direct, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + S>* 0.0.0.0/0 [1/0] via 10.0.1.1, eth0, weight 1, 00:27:30 + C>* 10.0.1.0/30 is directly connected, eth0, weight 1, 00:27:34 + L>* 10.0.1.2/32 is directly connected, eth0, weight 1, 00:27:34 + O 10.100.100.0/30 [110/1] is directly connected, vti1, weight 1, 00:24:34 + C>* 10.100.100.0/30 is directly connected, vti1, weight 1, 00:24:34 + L>* 10.100.100.1/32 is directly connected, vti1, weight 1, 00:24:34 + O 192.168.0.0/24 [110/1] is directly connected, eth1, weight 1, 00:27:29 + C>* 192.168.0.0/24 is directly connected, eth1, weight 1, 00:27:34 + L>* 192.168.0.1/32 is directly connected, eth1, weight 1, 00:27:34 + O 192.168.1.0/24 [110/1] is directly connected, eth2, weight 1, 00:27:29 + C>* 192.168.1.0/24 is directly connected, eth2, weight 1, 00:27:34 + L>* 192.168.1.1/32 is directly connected, eth2, weight 1, 00:27:34 + O>* 192.168.10.0/24 [110/11] via 10.100.100.2, vti1, weight 1, 00:24:19 + O>* 192.168.11.0/24 [110/11] via 10.100.100.2, vti1, weight 1, 00:24:19 + + +Monitoring on Cisco side +------------------------ + +IKE SAs: + +.. code-block:: none + + admin@PA-VM> show vpn ike-sa + + IKEv1 phase-1 SAs + GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 + -------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------ + 1 10.0.1.2 VyOS Resp Main PSK/DH14/A128/SHA1 Jul.31 01:35:00 Jul.31 09:35:00 v1 13 1 1 + + Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found. + + + IKEv1 phase-2 SAs + Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt + ------------ ---- ------ ------- ---- --------- ------- -------- ----- -- -- + VyOS 1 VyOS-tunnel 1 Resp ESP/ /tunl/SHA2 8827A3D9 C204F4FA BD202829 9 1 + + Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found. + + + There is no IKEv2 SA found. + +IPsec SAs: + +.. code-block:: none + + admin@PA-VM> show vpn ipsec-sa + + GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) remain-time(Sec) + -------------- ---- ------------ --------------- --------- ------- -------- ------------ ---------------- + 1 1 10.0.1.2 VyOS-tunnel(VyOS) ESP/A256/SHA256 8827A3D9 C204F4FA 3600/Unlimited 2733 + + Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found. + +OSPF Neighbor Status: + +.. code-block:: none + + admin@PA-VM> show routing protocol ospf neighbor + + Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits, EA:Ext-Attr LSA capability, + N/P:NSSA option, MC:multicase, E:AS external LSA capability, T:TOS capability + ========== + virtual router: default + neighbor address: 10.100.100.1 + local address binding: 0.0.0.0 + type: dynamic + status: full + neighbor router ID: 2.2.2.2 + area id: 0.0.0.0 + neighbor priority: 1 + lifetime remain: 32 + messages pending: 0 + LSA request pending: 0 + options: 0x02: E + hello suppressed: no + restart helper status: not helping + restart helper time remaining: 0 + restart helper exit reason: none + + + +Routing Table: + +.. code-block:: none + + admin@PA-VM> show routing route + + flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, + Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast + + + VIRTUAL ROUTER: default (id 1) + ========== + destination nexthop metric flags age interface next-AS + 0.0.0.0/0 10.0.2.1 10 A S ethernet1/1 + 10.0.2.0/30 10.0.2.2 0 A C ethernet1/1 + 10.0.2.2/32 0.0.0.0 0 A H + 10.100.100.0/30 0.0.0.0 10 Oi 1273 tunnel.1 + 10.100.100.0/30 10.100.100.2 0 A C tunnel.1 + 10.100.100.2/32 0.0.0.0 0 A H + 192.168.0.0/24 10.100.100.1 11 A Oi 1253 tunnel.1 + 192.168.1.0/24 10.100.100.1 11 A Oi 1253 tunnel.1 + 192.168.10.0/24 0.0.0.0 10 Oi 1273 ethernet1/2 + 192.168.10.0/24 192.168.10.1 0 A C ethernet1/2 + 192.168.10.1/32 0.0.0.0 0 A H + 192.168.11.0/24 0.0.0.0 10 Oi 1273 ethernet1/3 + 192.168.11.0/24 192.168.11.1 0 A C ethernet1/3 + 192.168.11.1/32 0.0.0.0 0 A H + total routes shown: 14 + + + +Checking Connectivity +--------------------- + +ICMP packets from PC1 to PC3. + +.. code-block:: none + + PC1> ping 192.168.10.2 + + 84 bytes from 192.168.10.2 icmp_seq=1 ttl=62 time=8.479 ms + 84 bytes from 192.168.10.2 icmp_seq=2 ttl=62 time=3.344 ms + 84 bytes from 192.168.10.2 icmp_seq=3 ttl=62 time=3.139 ms + 84 bytes from 192.168.10.2 icmp_seq=4 ttl=62 time=3.176 ms + 84 bytes from 192.168.10.2 icmp_seq=5 ttl=62 time=3.978 ms + +ICMP packets from PC2 to PC4. + +.. code-block:: none + + PC2> ping 192.168.11.2 + + 84 bytes from 192.168.11.2 icmp_seq=1 ttl=62 time=9.687 ms + 84 bytes from 192.168.11.2 icmp_seq=2 ttl=62 time=3.286 ms + 84 bytes from 192.168.11.2 icmp_seq=3 ttl=62 time=2.972 ms