2. The basic network
In our first test, we'll create an IPSec tunnel over an intermediate network. The tunnel will be created between router R1 and router R3, both Cisco routers. The intermediate network is represented by router R2.
We make sure that R1, R2 and R3 can see eachother. The IP addressing table is:
|
Device
|
Interface
|
IP address
|
Subnet mask
|
Default Gateway
|
|
R1
|
F0/0
|
192.168.201.1
|
255.255.255.0
|
N/A
|
|
F0/1
|
10.128.11.1
|
255.255.255.0
|
N/A
|
|
|
R2
|
F0/0
|
192.168.201.2
|
255.255.255.0
|
N/A
|
|
F0/1
|
192.168.200.2
|
255.255.255.0
|
N/A
|
|
|
R3
|
F0/0
|
192.168.200.1
|
255.255.255.0
|
N/A
|
|
F0/1
|
10.128.12.1
|
255.255.255.0
|
N/A
|
|
|
xenial1
|
vbox11
|
10.128.11.101
|
255.255.255.0
|
10.128.11.1
|
|
xenial2
|
vbox12
|
10.128.12.101
|
255.255.255.0
|
10.128.12.1
|
We'll configure OSPF to provide us with the complete routing.
2.1. Routers
2.1.1. R1
The basic configuration for R1 is:
enable config t hostname R1 no ip domain-lookup int f0/0 ip address 192.168.201.1 255.255.255.0 no shut int f0/1 ip address 10.128.11.1 255.255.255.0 no shut router ospf 101 network 192.168.201.0 0.0.0.255 area 0 network 10.128.11.0 0.0.0.255 area 0
2.1.2. R2
The basic configuration for R2 is:
enable config t hostname R2 no ip domain-lookup int f0/0 ip address 192.168.201.2 255.255.255.0 no shut int f0/1 ip address 192.168.200.2 255.255.255.0 no shut router ospf 101 network 192.168.200.0 0.0.0.255 area 0 network 192.168.201.0 0.0.0.255 area 0
2.1.3. R3
The basic configuration for R3 is:
enable config t hostname R3 no ip domain-lookup int f0/0 ip address 192.168.200.1 255.255.255.0 no shut int f0/1 ip address 10.128.12.1 255.255.255.0 no shut router ospf 101 network 192.168.200.0 0.0.0.255 area 0 network 10.128.12.0 0.0.0.255 area 0
2.2. Hosts
2.2.1. Vagrantfile
For ease, the hosts are created with Vagrant.
# -*- mode: ruby -*- # vi: set ft=ruby : # Vagrantfile API/syntax version. Don't touch unless you know what you're doing! VAGRANTFILE_API_VERSION = "2" Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| config.vm.define :xenial1 do |t| t.vm.box = "ubuntu/xenial64" t.vm.box_url = "file:////links/virt_comp/vagrant/boxes/xenial64.box" t.vm.provider "virtualbox" do |prov| prov.customize ["modifyvm", :id, "--nic2", "hostonly", "--hostonlyadapter2", "vboxnet11" ] end t.vm.provision "shell", path: "./setup.xenial1.sh" end config.vm.define :xenial2 do |t| t.vm.box = "ubuntu/xenial64" t.vm.box_url = "file:////links/virt_comp/vagrant/boxes/xenial64.box" t.vm.provider "virtualbox" do |prov| prov.customize ["modifyvm", :id, "--nic2", "hostonly", "--hostonlyadapter2", "vboxnet12" ] end t.vm.provision "shell", path: "./setup.xenial2.sh" end end
2.2.2. Setup for xenial1
#!/bin/bash ETH1=$(dmesg | grep -i 'renamed from eth1' | sed -n 's/: renamed from eth1//;s/.* //p') ifconfig $ETH1 10.128.11.101 netmask 255.255.255.0 up route add -net 192.168.192.0 netmask 255.255.192.0 gw 10.128.11.1 route add -net 10.128.0.0 netmask 255.255.0.0 gw 10.128.11.1 apt-get update apt-get install traceroute
Some remarks are useful here. We use $ETH1 as the network interface, because Ubuntu has chosen to make the name of the interface unpredictable.
We also route only the networks that we use in the lab to R1. In this way, we can ensure that we can reach the host with vagrant ssh and that the host can reach the Internet via its NAT adapter.
2.2.3. Setup for xenial2
The same remarks as for xenial1 are also applicable here.
#!/bin/bash ETH1=$(dmesg | grep -i 'renamed from eth1' | sed -n 's/: renamed from eth1//;s/.* //p') ifconfig $ETH1 10.128.12.101 netmask 255.255.255.0 up route add -net 192.168.192.0 netmask 255.255.192.0 gw 10.128.12.1 route add -net 10.128.0.0 netmask 255.255.0.0 gw 10.128.12.1 apt-get update apt-get install traceroute