BGP Redistribute

BGP redistribute-internal
Elements
In this example we will examine a hidden command: bgp redistribute-internal

R1 is running OSPF with R2, iBGP with R3 (EIGRP is for loopbacks connectivity) and eBGP
with R4
As known, when we redistribute BGP into a routing protocol, only eBGP routes are
redistributed, let us find and see
Configuration
R1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
speed 100
full-duplex
ip address 192.168.13.1 255.255.255.0
speed 100
full-duplex
interface Serial0/0
ip address 192.168.14.1 255.255.255.0
encapsulation ppp
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
redistribute bgp 1 subnets
network 192.168.12.1 0.0.0.0 area 0
router eigrp 1
network 1.1.1.1 0.0.0.0
network 192.168.13.1 0.0.0.0
no auto-summary
router bgp 1
neighbor 3.3.3.3 remote-as 1
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
R2
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip address 192.168.12.2 255.255.255.0
speed 100
full-duplex
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 192.168.12.2 0.0.0.0 area 0
R3
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface Loopback1
ip address 13.13.13.13 255.255.255.255
ip address 192.168.13.3 255.255.255.0
speed 100
full-duplex
R3#sh run | sec router eigrp

router eigrp 1
network 3.3.3.3 0.0.0.0
network 192.168.13.3 0.0.0.0
no auto-summary
router bgp 1
network 3.3.3.3 mask 255.255.255.255
network 13.13.13.13 mask 255.255.255.255
no auto-summary
R4
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface Serial0/0
ip address 192.168.14.4 255.255.255.0
encapsulation ppp
clock rate 2000000
router bgp 4
network 4.4.4.4 mask 255.255.255.255
no auto-summary
Verification
Now let us check basic relations and route advertisements before we do the
redistribution
R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

2.2.2.2 1 FULL/DR 00:00:36 192.168.12.2 FastEthernet0/0
R1#sh ip route ospf

2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/2] via 192.168.12.2, 00:38:13, FastEthernet0/0
R1#sh ip bgp summary

BGP router identifier 1.1.1.1, local AS number 1
BGP table version is 5, main routing table version 5
3 network entries using 360 bytes of memory
3 path entries using 156 bytes of memory
3/2 BGP path/bestpath attribute entries using 372 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 2 (at peak 2) using 64 bytes of memory
BGP using 976 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
3.3.3.3 4 1 42 41 5 0 0 00:36:19 2
192.168.14.4 4 4 41 42 5 0 0 00:37:13 1
R1#sh ip bgp
BGP table version is 5, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path

r>i3.3.3.3/32 3.3.3.3 0 100 0 i
*> 4.4.4.4/32 192.168.14.4 0 0 4 i
*>i13.13.13.13/32 3.3.3.3 0 100 0 i

1.1.1.1 1 FULL/BDR 00:00:39 192.168.12.1 FastEthernet0/0
R2#sh ip route ospf
R2#


1.1.1.1 4 1 41 42 3 0 0 00:36:40 1
R3#sh ip bgp
*> 3.3.3.3/32 0.0.0.0 0 32768 i
* i4.4.4.4/32 192.168.14.4 0 100 0 4 i
*> 13.13.13.13/32 0.0.0.0 0 32768 i

192.168.14.1 41 42 41 4 0 0 00:37:42 2
R4#sh ip bgp

*> 3.3.3.3/32 192.168.14.1 01i
*> 4.4.4.4/32 0.0.0.0 0 32768 i
*> 13.13.13.13/32 192.168.14.1 01i
So , all is functioning normal , now let us do one way redistribution from BGP into OSPF
on R1 , R2 should according to the rule we mentioned above receive only 4.4.4.4/32
(which is the prefix learned via eBGP)
R1(config)#router ospf 1
R1(config-router)#redistribute bgp 1 subnets
R2#sh ip route ospf
O E2 4.4.4.4 [110/1] via 192.168.12.1, 00:00:10, FastEthernet0/0
Which is true, we cannot see the 13.13.13.13/32 prefix which is learned via iBGP, now
let us add the hidden command
R1(config-router)#router bgp 1
R1(config-router)#bgp redistribute-internal
R2#sh ip route ospf
And yes, this command also takes the iBGP learned routes and redistributes them
And we can see the command as well in the show running configuration
R1#sh run | sec router bgp
router bgp 1
no synchronization
bgp log-neighbor-changes
bgp redistribute-internal
no auto-summary
DMVPN with EIGRP

Posted by MSSK , 08 December 2013 · 20,870 views
Elements
We are going to configure DMVPN with EIGRP as the connecting routing protocol
between the hub and the spokes
Our Hub will R1 and the spokes will be R2 and R3
Configuration
R1
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip address 212.118.14.1 255.255.255.0
speed 100
full-duplex
ip route 0.0.0.0 0.0.0.0 212.118.14.4
IKE Phase I
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
Authentication-key configuration
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
IKE Phase II
crypto ipsec transform-set SET esp-aes esp-sha-hmac
Attaching the transform-set to IPSEC profile

crypto ipsec profile PROFILE
set transform-set SET
Tunnel Interface
interface Tunnel0
bandwidth 1000 (Not to overwhelm EIGRP bandwidth)
ip address 10.1.123.1 255.255.255.0
no ip redirects
ip mtu 1400 (it’s better to do so because of the IPSEC and GRE headers)
no ip next-hop-self eigrp 1 (the spokes are going to communicate)
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 5
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 6
tunnel protection ipsec profile PROFILE
Routing
router eigrp 1
network 10.1.123.1 0.0.0.0
network 192.168.1.1 0.0.0.0
no auto-summary
R2
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip address 62.215.1.2 255.255.255.0
speed 100
full-duplex
ip route 0.0.0.0 0.0.0.0 62.215.1.4
IKE Phase I
encr aes
group 2
IKE Phase II

Tunnel Interface
interface Tunnel0
bandwidth 1000
ip address 10.1.123.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast 212.118.14.1
ip nhrp map 10.1.123.1 212.118.14.1
ip nhrp nhs 10.1.123.1
tunnel key 6
Routing
router eigrp 1
network 10.0.0.0
network 192.168.2.1 0.0.0.0
no auto-summary
R3
interface Loopback0
ip address 192.168.3.1 255.255.255.0
ip address 62.215.1.3 255.255.255.0
speed 100
full-duplex
ip route 0.0.0.0 0.0.0.0 62.215.1.4
IKE Phase I
encr aes
group 2
IKE Phase II

Tunnel Interface
interface Tunnel0
bandwidth 1000
ip address 10.1.123.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast 212.118.14.1
ip nhrp map 10.1.123.1 212.118.14.1
ip nhrp nhs 10.1.123.1
tunnel key 6
Routing
router eigrp 1
network 10.1.123.3 0.0.0.0
network 192.168.3.1 0.0.0.0
no auto-summary
R4
ip address 62.215.1.4 255.255.255.0
speed 100
full-duplex
ip address 212.118.14.4 255.255.255.0
speed 100
full-duplex
Verification
R1#sh ip eigrp neighbors

IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.123.3 Tu0 14 00:30:16 9 200 0 3
0 10.1.123.2 Tu0 11 00:32:27 12 200 0 3
R1#sh ip eigrp topology

IP-EIGRP Topology Table for AS(1)/ID(192.168.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status
P 192.168.1.0/24, 1 successors, FD is 128256

via Connected, Loopback0
via 10.1.123.2 (15488000/128256), Tunnel0
via 10.1.123.3 (15488000/128256), Tunnel0
via Connected, Tunnel0
R1#sh ip route eigrp

D 192.168.2.0/24 [90/15488000] via 10.1.123.2, 00:32:54, Tunnel0
D 192.168.3.0/24 [90/15488000] via 10.1.123.3, 00:30:43, Tunnel0
R1#ping 192.168.3.1 source lo0
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
R2#sh ip eigrp neighbors

IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.123.1 Tu0 12 00:35:51 9 300 0 7



via 10.1.123.1 (15488000/128256), Tunnel0
10.1.123.3 via 10.1.123.1 (28288000/15488000), Tunnel0
D 192.168.1.0/24 [90/15488000] via 10.1.123.1, 00:35:57, Tunnel0
D 192.168.3.0/24 [90/28288000] via 10.1.123.3, 00:33:46, Tunnel0

!!!!!

!!!!!



via 10.1.123.1 (15488000/128256), Tunnel0
10.1.123.2 via 10.1.123.1 (28288000/15488000), Tunnel0

D 192.168.1.0/24 [90/15488000] via 10.1.123.1, 00:34:11, Tunnel0
D 192.168.2.0/24 [90/28288000] via 10.1.123.2, 00:34:11, Tunnel0

!!!!!

!!!!!
R1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
212.118.14.1 62.215.1.3 QM_IDLE 1002 0 ACTIVE
212.118.14.1 62.215.1.2 QM_IDLE 1001 0 ACTIVE

62.215.1.3 62.215.1.2 QM_IDLE 1003 0 ACTIVE
212.118.14.1 62.215.1.2 QM_IDLE 1001 0 ACTIVE
62.215.1.2 62.215.1.3 QM_IDLE 1002 0 ACTIVE

62.215.1.2 62.215.1.3 QM_IDLE 1003 0 ACTIVE
62.215.1.3 62.215.1.2 QM_IDLE 1002 0 ACTIVE
212.118.14.1 62.215.1.3 QM_IDLE 1001 0 ACTIVE
R1#sh ip nhrp detail

10.1.123.2/32 via 10.1.123.2, Tunnel0 created 00:37:38, expire 01:22:21
Type: dynamic, Flags: unique registered
NBMA address: 62.215.1.2
Type: dynamic, Flags: unique registered

10.1.123.1/32 via 10.1.123.1, Tunnel0 created 00:37:52, never expire
Type: static, Flags: used
Type: dynamic, Flags: router unique local
(no-socket)
Requester: 10.1.123.3 Request ID: 3
Type: dynamic, Flags: router

10.1.123.1/32 via 10.1.123.1, Tunnel0 created 00:35:33, never expire
Type: static, Flags: used
Type: dynamic, Flags: router
Type: dynamic, Flags: router unique local
(no-socket)
Requester: 10.1.123.2 Request ID: 2

!!!!!
R3#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 62.215.1.3
protected vrf: (none)

local ident (addr/mask/prot/port): (62.215.1.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (212.118.14.1/255.255.255.255/47/0)
current_peer 212.118.14.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 62.215.1.3, remote crypto endpt.: 212.118.14.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x8FBF604E(2411683918)
inbound esp sas:

spi: 0x8FD1F0B9(2412900537)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: SW:7, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4573644/3532)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x8FBF604E(2411683918)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
If we do ping again, it will go through R2 directly as it already resolved where R3 is

using R1 as the NHRP server

!!!!!
R3#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 62.215.1.3


current outbound spi: 0x94A5F278(2493903480)
inbound esp sas:

spi: 0xE6A6B2B8(3869684408)
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x94A5F278(2493903480)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:


current outbound spi: 0x8FBF604E(2411683918)
inbound esp sas:

spi: 0x8FD1F0B9(2412900537)
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x8FBF604E(2411683918)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
MPLS L3VPN with PPPoE

Posted by MSSK , 15 January 2014 · 20,784 views
In this example we will configure MPLS L3VPN between two sites but, one of the CEs is
connected via normal Ethernet connection and the other one is connected via PPPoE
OSPF will be the PE-CE routing protocol and ISIS level-2 will be the operating IGP inside the
MPLS backbone, area 49.0001 is in use
MPLS backbone will be located in AS 100
Configuration
R1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no ip address
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
interface Dialer1
mtu 1492
ip address dhcp
encapsulation ppp
dialer pool 1
router ospf 100

router-id 1.1.1.1
network 1.1.1.1 0.0.0.0 area 0
network 192.168.12.1 0.0.0.0 area 0
R2
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip router isis 1
ip address 192.168.23.2 255.255.255.0
ip router isis 1
speed 100
full-duplex
mpls ip
no ip address
speed 100
full-duplex
pppoe enable group PPPOE
bba-group pppoe PPPOE

virtual-template 1
interface Virtual-Template1
ip vrf forwarding MSSK
ip address 192.168.12.2 255.255.255.0
mpls label protocol ldp

mpls ldp router-id Loopback0 force
ip vrf MSSK
rd 100:1
route-target export 100:1
route-target import 100:1
ip dhcp pool POOL

network 192.168.12.0 255.255.255.0
router isis 1
net 49.0001.0000.0000.0002.00
is-type level-2-only
router ospf 100 vrf MSSK

router-id 2.2.2.2
network 192.168.12.2 0.0.0.0 area 0
router bgp 100

no bgp default ipv4-unicast
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community both
address-family ipv4 vrf MSSK
redistribute ospf 100 vrf MSSK
R3
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip router isis 1
ip address 192.168.23.3 255.255.255.0
ip router isis 1
speed 100
full-duplex
mpls ip
ip address 192.168.34.3 255.255.255.0
ip router isis 1
speed 100
full-duplex
mpls ip

router isis 1
net 49.0001.0000.0000.0003.00
R4
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip router isis 1
ip address 192.168.34.4 255.255.255.0
ip router isis 1
speed 100
full-duplex
mpls ip
ip vrf forwarding MSSK
ip address 192.168.45.4 255.255.255.0
ip ospf network point-to-point
speed 100
full-duplex
ip vrf MSSK
rd 100:1
route-target export 100:1
route-target import 100:1
router isis 1
net 49.0001.0000.0000.0004.00
router ospf 100 vrf MSSK

router-id 4.4.4.4
network 192.168.45.4 0.0.0.0 area 0
router bgp 100

no bgp default ipv4-unicast
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
address-family ipv4 vrf MSSK
redistribute ospf 100 vrf MSSK
no synchronization
R5
interface Loopback0
ip address 5.5.5.5 255.255.255.255
ip address 192.168.45.5 255.255.255.0
ip ospf network point-to-point
speed 100
full-duplex
router ospf 100

router-id 5.5.5.5
network 5.5.5.5 0.0.0.0 area 0
network 192.168.45.5 0.0.0.0 area 0
Verifications
R2#show mpls ldp neighbor

Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
TCP connection: 3.3.3.3.50422 - 2.2.2.2.646
State: Oper; Msgs sent/rcvd: 875/880; Downstream
Up time: 12:43:17
LDP discovery sources:
FastEthernet0/0, Src IP addr: 192.168.23.3
Addresses bound to peer LDP Ident:
3.3.3.3 192.168.23.3 192.168.34.3
TCP connection: 2.2.2.2.646 - 3.3.3.3.50422
Up time: 12:43:30
2.2.2.2 192.168.23.2
TCP connection: 4.4.4.4.44368 - 3.3.3.3.646
Up time: 12:43:10
4.4.4.4 192.168.34.4

TCP connection: 3.3.3.3.646 - 4.4.4.4.44368
Up time: 12:43:17
3.3.3.3 192.168.23.3 192.168.34.3
R2#show bgp vpnv4 unicast all summary

2 BGP extended community entries using 80 bytes of memory

4.4.4.4 4 100 768 768 9 0 0 12:41:56 2
R2#show bgp vpnv4 unicast all
Route Distinguisher: 100:1 (default for vrf MSSK)
*> 1.1.1.1/32 192.168.12.1 2 32768 ?
*>i5.5.5.5/32 4.4.4.4 2 100 0 ?
*> 192.168.12.0 0.0.0.0 0 32768 ?
*>i192.168.45.0 4.4.4.4 0 100 0 ?
R4#show bgp vpnv4 unicast all summary

2 BGP extended community entries using 80 bytes of memory

2.2.2.2 4 100 769 769 9 0 0 12:42:04 2
R4#show bgp vpnv4 unicast all

Route Distinguisher: 100:1 (default for vrf MSSK)
*>i1.1.1.1/32 2.2.2.2 2 100 0 ?
*> 5.5.5.5/32 192.168.45.5 2 32768 ?
*>i192.168.12.0 2.2.2.2 0 100 0 ?
*> 192.168.45.0 0.0.0.0 0 32768 ?

2.2.2.2 0 FULL/ - 00:00:39 192.168.12.2 Dialer1
R1#sh ip route ospf
O IA 192.168.45.0/24 [110/1786] via 192.168.12.2, 00:12:49, Dialer1
O IA 5.5.5.5 [110/1787] via 192.168.12.2, 00:12:49, Dialer1

4.4.4.4 0 FULL/ - 00:00:32 192.168.45.4 FastEthernet0/0
R5#sh ip route ospf
O IA 192.168.12.0/24 [110/2] via 192.168.45.4, 00:13:22, FastEthernet0/0
O IA 1.1.1.1 [110/3] via 192.168.45.4, 00:13:22, FastEthernet0/0

!!!!!

!!!!!

BGP Redistribute

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

BGP Redistribute

Caricato da

Copyright:

Formati disponibili

BGP redistribute-internal

In this example we will examine a hidden command: bgp redistribute-internal

R3#sh run | sec router eigrp

Neighbor ID Pri State Dead Time Address Interface

R1#sh ip route ospf

R1#sh ip bgp summary

Network Next Hop Metric LocPrf Weight Path

R2#sh ip ospf neighbor

R3#sh ip bgp summary

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

Network Next Hop Metric LocPrf Weight Path

DMVPN with EIGRP

ip route 0.0.0.0 0.0.0.0 212.118.14.4

Attaching the transform-set to IPSEC profile

ip route 0.0.0.0 0.0.0.0 62.215.1.4

Attaching the transform-set to IPSEC profile

ip route 0.0.0.0 0.0.0.0 62.215.1.4

Attaching the transform-set to IPSEC profile

R1#sh ip eigrp neighbors

R1#sh ip eigrp topology

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

P 192.168.1.0/24, 1 successors, FD is 128256

R1#sh ip route eigrp

R1#ping 192.168.3.1 source lo0

Type escape sequence to abort.

R2#sh ip eigrp neighbors

R2#sh ip eigrp topology

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

P 192.168.1.0/24, 1 successors, FD is 15488000

R2#ping 192.168.1.1 source lo0

R2#ping 192.168.3.1 source lo0

Type escape sequence to abort.

R3#sh ip eigrp topology

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

P 192.168.1.0/24, 1 successors, FD is 15488000

R3#sh ip route eigrp

R3#ping 192.168.1.1 source lo0

Type escape sequence to abort.

R3#ping 192.168.2.1 source lo0

R1#sh crypto isakmp sa

IPv6 Crypto ISAKMP SA

R2#sh crypto isakmp sa

IPv6 Crypto ISAKMP SA

R3#sh crypto isakmp sa

IPv6 Crypto ISAKMP SA

R1#sh ip nhrp detail

R2#sh ip nhrp detail

R3#sh ip nhrp detail

R3#ping 192.168.2.1 source lo0

Type escape sequence to abort.

R3#sh crypto ipsec sa

protected vrf: (none)

local crypto endpt.: 62.215.1.3, remote crypto endpt.: 212.118.14.1

inbound esp sas:

inbound pcp sas:

outbound esp sas:

outbound pcp sas:

If we do ping again, it will go through R2 directly as it already resolved where R3 is

R3#ping 192.168.2.1 source lo0

Type escape sequence to abort.

R3#sh crypto ipsec sa

protected vrf: (none)