IPsec tunnel question

tomset

Hey guys,

I was working on the "IPsec challenge lab" in the ISCW lab portfolio book and I came across a task that I wasn't sure how to complete.

To simplify, there are 2 routers connected via a serial link and both are running EIGRP AS 1. The lab wants me to create a GRE IPsec tunnel between these 2 routers - no problem. Then, it asks me to configure the routers so that they both prefer routing traffic over the tunnel instead of the serial link. Given that the serial link is directly connected (with an AD of 0), how can I make these routers prefer the tunnel over the directly connected serial link?

The answer is probably easy, I just can't think of how to do this at the moment......

_maurice

The AD of 0 is probably only for the local subnet of the serial interface.

With no specific config to work with it is tough to answer. Maybe this is what you want?

ip route 0.0.0.0 0.0.0.0 Tunnel0

tomset

_maurice wrote: »

The AD of 0 is probably only for the local subnet of the serial interface.

With no specific config to work with it is tough to answer. Maybe this is what you want?

ip route 0.0.0.0 0.0.0.0 Tunnel0

The static route has an AD of 1, so the router is still going to prefer the directly connected (AD 0) subnet. Any other ideas? I'm fresh out

_maurice

tomset wrote: »

The static route has an AD of 1, so the router is still going to prefer the directly connected (AD 0) subnet. Any other ideas? I'm fresh out

That is not how it selects a route from the routing table. Even though the directly connected interface route has an administrative distance of 0, traffic destined for something other than the directly connected subnet will not use that route.

Quoting from here --> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094195.shtml

"Administrative distance is the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination."

Traffic going to an external IP address not directly connected will not have the same destination as the directly connected subnet. Hence, it will not use the directly connected route with AD of 0.

-maurice

redwarrior

I would think that specifying a network of 0.0.0.0 0.0.0.0 for interesting traffic in the ACL for your crypto map would be sufficient to send all traffic over the VPN tunnel rather than another interface. That's all I've had to do in the wild, anyhow.

_maurice

redwarrior wrote: »

I would think that specifying a network of 0.0.0.0 0.0.0.0 for interesting traffic in the ACL for your crypto map would be sufficient to send all traffic over the VPN tunnel rather than another interface. That's all I've had to do in the wild, anyhow.

The original poster said it is a GRE IPsec tunnel. The interesting traffic should be the ip addresses bound to the physical interfaces.

dtlokee

I don't think they were looking for you to route the traffic to the other end of the serial connection through the GRE tunnel, that wouldn't be possible (even if you did something like policy routing it would cause the tunnel to become recursive and it would drop). I think they are really just looking for you to establish the EIGRP session over the tunnel and prefer it to remote networks.

tomset

dtlokee wrote: »

I don't think they were looking for you to route the traffic to the other end of the serial connection through the GRE tunnel, that wouldn't be possible (even if you did something like policy routing it would cause the tunnel to become recursive and it would drop). I think they are really just looking for you to establish the EIGRP session over the tunnel and prefer it to remote networks.

Ahh, that could be it. Thanks for the tip. I'll just complete the lab by interpreting the task that way.

jezg76

I just did that lab a bit ago to see how rusty I was on those commands. lol Luckily I'm hitting the VPN portion of the CCNA Security so it was a good refresher.

Worked by changing the EIGRP metrics on the tunnels. At least that what's worked for me and, as always, dt nailed it out the park

Back to the grind...

tomset

jezg76 wrote: »

I just did that lab a bit ago to see how rusty I was on those commands. lol Luckily I'm hitting the VPN portion of the CCNA Security so it was a good refresher.

Worked by changing the EIGRP metrics on the tunnels. At least that what's worked for me and, as always, dt nailed it out the park

Back to the grind...

How is the CCNA Security material? Interesting? I was thinking about doing that one as well........

jezg76

tomset wrote: »

How is the CCNA Security material? Interesting? I was thinking about doing that one as well........

It's actually proving to be quite interesting. I've never really been of a fan of the security side of the house, but I did a Security+ boot camp in early December, not soon after I finished the NP stuff, and it just seemed like a good idea. Not to mention, I really enjoy the zone-based firewall stuff. ISCW didn't even mention that so it's nice to see some new material.

I was going to roll right into the QoS exam for the CCIP, but after 11 months of NP action, I wanted more of a refresher so I could also go back and solidify NP material as well, seeing as I don't work with the stuff every day, I want it all to be ingrained in my brain as much as possible.

Plan to do the CCNA Voice after this, which should ease the transition back into the QoS stuff. Then BGP and MPLS is next. This is all assuming the wife doesn't strangle me with a Cat 5 cable for all the studying I've been doing lol

Good luck!1