GRE IPSec VPN - ACL question
Wow... so many acronyms in that title...
Anyway, been going over GRP IPSec VPN configs for some fun and have a few questions.
I have this config;
I have a similar confg on the other end of the VPN and everything works fine. But my questions are;
1) - Where is the reccomended place to put the crypto map statement? Tunnel interface or physical interface?
2) - for the ACL, i seem to remember needed to permit gre in the ACL. So something like
permit gre 192.168.200.0 0.0.0.255 192.168.240.0 0.0.0.255.
But my VPN works with the ACL i have defined... So when do you need to define gre in the ACL?
Cheers.
Anyway, been going over GRP IPSec VPN configs for some fun and have a few questions.
I have this config;
crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 192.168.128.9 no-xauth ! crypto ipsec transform-set VPN esp-3des esp-sha-hmac mode transport ! crypto map VPN 10 ipsec-isakmp set peer 192.168.128.9 set transform-set VPN match address VPN_TRAFFIC ! interface Tunnel0 ip address 203.1.1.1 255.255.255.0 tunnel source 10.2.2.1 tunnel destination 192.168.128.9 crypto map VPN ! ip access-list extended VPN_TRAFFIC permit ip 192.168.200.0 0.0.0.255 192.168.240.0 0.0.0.255 deny ip any any
I have a similar confg on the other end of the VPN and everything works fine. But my questions are;
1) - Where is the reccomended place to put the crypto map statement? Tunnel interface or physical interface?
2) - for the ACL, i seem to remember needed to permit gre in the ACL. So something like
permit gre 192.168.200.0 0.0.0.255 192.168.240.0 0.0.0.255.
But my VPN works with the ACL i have defined... So when do you need to define gre in the ACL?
Cheers.
CCIE# 38186
showroute.net
showroute.net
Comments
-
jason_lunde
Member Posts: 567
1) I have always put the crypto map statement on the physical interface...thats what the ISCW port. shows as well; but it does say in some older ios's you will need to apply it to both
2)Ya normally not to open the acl up that wide open, you can just go host to host with gre...something like:
access-list 101 permit gre host <ip> host <ip>
That way not to much is permitted in the acl.Hope this helps man! -
chrisone
Member Posts: 2,278 ■■■■■■■■■□
Jason is correct, you do not want to apply a whole /24 in your ACL when your creating a GRE "OVER" IPSEC.
I believe what you did by configuring the cryptomap on the GRE was IPSEC "OVER" GRE, which is complete reverse of a gre/ipsec.
for example ipsec/GRE (X)
GRETunnel
(X)GRE/IPSEC
Remember GRE acts like a connected interface between two routers like if it were connected with crossover ethernet cable. You can create a GRE tunnel without IPSEC and it will act like a cable was connecting the two routers. Well in Lab theory it is, but over ISPs and using public IPs / loopbacks, you cant connect two routers using a cable now could we lol so thats where GRE falls into place and will act like a connected "unprotected" interface between the two. So you want to create an IPSEC tunnel first , then have GRE flow within the IPSEC. Thats why on your ACL for the IPSEC you allow GRE hosts to flow through it and apply this to the interface for the IPSEC and not on the GRE Tunnel interface. I hope this clear things up.
GRE/IPSEC (X)
IPSEC
(X)IPSEC/GRE is an example of GRE within IPSECCerts: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
SysAdmin4066
Member Posts: 443
The biggest reason for the GRE portion of this config is to run dynamic routing protocols. The tunnel interface allows for peering, which is required for most dynamic routing protocols. The GRE tunnel is created first, then ipsec is used to encrypt the content of the tunnel.
The ACL can be much narrower in a secure GRE tunnel, because you again have two peering interfaces. So you can use "gre" and "host" statements, as opposed to "network" statements. It will work with "ip" and "network" statement, but it's just more secure to use the first option. Thats why your config works. Best practice is to set interesting traffic as the GRE tunnel interfaces with GRE being the protocol.In Progress: CCIE R&S Written Scheduled July 17th (Tentative)
Next Up: CCIE R&S Lab -
APA
Member Posts: 959
if you applied the crypto map to the physical exit interface then you would need to use permit gre host x.x.x.x host x.x.x.x
As the traffic would have passed through the Tunnel interface and been encrypted as GRE traffic. So therefore the interesting traffic for the physical interface to match on would need to be the traffic between the GRE endpoints.
The ACL works for your Tunnel interface because the interesting traffic hasn't been encrypted as GRE yet... it would be encrypted then encapsulated as GRE then passed along...
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
rakem
Member Posts: 800
Ok so i have been playing around a bit more and now i have this config;
crypto isakmp policy 20 encr aes authentication pre-share group 2 crypto isakmp key luca address 10.1.1.2 ! ! crypto ipsec transform-set LUCA esp-3des esp-sha-hmac mode transport ! crypto map LUCA 20 ipsec-isakmp set peer 10.1.1.2 set transform-set LUCA match address VPN_TRAFFIC ! interface Tunnel1 ip address 172.16.1.1 255.255.255.0 tunnel source 192.168.90.2 tunnel destination 10.1.1.2 ! interface FastEthernet0/0 ip address 192.168.90.2 255.255.255.0 speed 100 full-duplex crypto map LUCA ! router eigrp 1 network 3.3.3.0 0.0.0.255 network 4.4.4.0 0.0.0.255 network 100.100.100.0 0.0.0.255 network 172.16.1.0 0.0.0.255 network 192.168.90.0 no auto-summary ! ip route 10.1.1.0 255.255.255.0 FastEthernet0/0
I was getting the following error for a bit;
"%TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing"
Which after some research was fixed but adding in the above static route. Got that info from The "%TUN-5-RECURDOWN" Error Message and Flapping EIGRP/OSPF/BGP Neighbors Over a GRE Tunnel - Cisco Systems
So anyway from what i can see eigrp packets are being sent over the tunnel, but nothing is being encrypted... there is no IPSec tunnel.interface: FastEthernet0/0 Crypto map tag: LUCA, local addr 192.168.90.2 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/47/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 192.168.90.2, remote crypto endpt.: 10.1.1.2 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0) ! ! R6#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status IPv6 Crypto ISAKMP SA R6# ! R6#sh int tun1 Tunnel1 is up, line protocol is up Hardware is Tunnel Internet address is 172.16.1.1/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 192.168.90.2, destination 10.1.1.2 Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255 Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 00:00:01, output 00:00:02, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 9 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 265 packets input, 22976 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 332 packets output, 29048 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out R6#CCIE# 38186
showroute.net -
APA
Member Posts: 959
1) ISAKMP SA association has failed... ensure isakmp key's match between peers.
2) Ensure VPN-TRAFFIC ACL has 'permit gre host x.x.x.x host x.x.x.x' this will ensure that all GRE traffic between the two routers will be encrypted.
3) For the traffic to be encrypted ensure routes are pointing towards\or learnt via the GRE tunnel interfaces... this will ensure the traffic will be encapsulated as GRE and therefore match the CRYPTO map interesting traffic when exiting the physical interface.
Here is a working config that I just threw together.. to enforce the concept of using the CRYPTO MAP on the physical interface so your Crypto ACL only has to have the host to host GRE ACL entry.
Host Acrypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key ipsectest address 10.8.8.0 255.255.255.254 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set 3DES-SHA ah-sha-hmac esp-3des ! crypto map LAB-TEST 10 ipsec-isakmp set peer 10.8.8.0 set transform-set 3DES-SHA set pfs group2 match address 100 ! ! interface Loopback0 ip address 192.168.20.254 255.255.255.255 ! interface Loopback1 ip address 172.16.10.1 255.255.255.255 ! interface Tunnel1 bandwidth 100000 ip address 172.16.20.1 255.255.255.254 tunnel source Loopback1 tunnel destination 172.16.10.0 ! interface FastEthernet0/0 bandwidth 100000 ip address 10.8.8.1 255.255.255.254 duplex auto speed auto crypto map LAB-TEST ! router eigrp 1 passive-interface default no passive-interface Tunnel1 network 10.8.8.0 0.0.0.1 network 172.16.10.0 0.0.0.1 network 192.168.20.254 0.0.0.0 no auto-summary ! no ip http server no ip http secure-server ip classless ip route 172.16.10.0 255.255.255.255 10.8.8.0 ! ! access-list 100 permit gre host 172.16.10.1 host 172.16.10.0 ! APALAB2620_B#sh crypto isakmp sa dst src state conn-id slot 10.8.8.1 10.8.8.0 QM_IDLE 8 0 APALAB2620_B#sh cry APALAB2620_B#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: LAB-TEST, local addr. 10.8.8.1 protected vrf: local ident (addr/mask/prot/port): (172.16.10.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.255/47/0) current_peer: 10.8.8.0:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 13729, #pkts encrypt: 13729, #pkts digest 13729 #pkts decaps: 13728, #pkts decrypt: 13728, #pkts verify 13728 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 3, #recv errors 0 local crypto endpt.: 10.8.8.1, remote crypto endpt.: 10.8.8.0 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: D68D9FC5 inbound esp sas: spi: 0x9FF974F5(2683925749) transform: esp-3des , in use settings ={Tunnel, } slot: 0, conn id: 2002, flow_id: 1, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4409561/83343) IV size: 8 bytes replay detection support: Y inbound ah sas: spi: 0xCA3EE2D(212069933) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4409561/83341) replay detection support: Y inbound pcp sas: outbound esp sas: spi: 0xD68D9FC5(3599605701) transform: esp-3des , in use settings ={Tunnel, } slot: 0, conn id: 2003, flow_id: 2, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4409560/83341) IV size: 8 bytes replay detection support: Y outbound ah sas: spi: 0x712D3754(1898788692) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4409560/83339) replay detection support: Y outbound pcp sas: APALAB2620_B# ! APALAB2620_B#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 192.168.10.0/32 is subnetted, 1 subnets D 192.168.10.254 [90/12953600] via 172.16.20.0, 00:36:47, Tunnel1 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks C 172.16.20.0/31 is directly connected, Tunnel1 S 172.16.10.0/32 [1/0] via 10.8.8.0 C 172.16.10.1/32 is directly connected, Loopback1 192.168.20.0/32 is subnetted, 1 subnets C 192.168.20.254 is directly connected, Loopback0 10.0.0.0/31 is subnetted, 1 subnets C 10.8.8.0 is directly connected, FastEthernet0/0 APALAB2620_B#HOST Bcrypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key ipsectest address 10.8.8.1 255.255.255.254 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set 3DES-SHA ah-sha-hmac esp-3des ! crypto map LAB-TEST 10 ipsec-isakmp set peer 10.8.8.1 set transform-set 3DES-SHA set pfs group2 match address 100 ! interface Loopback0 ip address 192.168.10.254 255.255.255.255 ! interface Loopback1 ip address 172.16.10.0 255.255.255.255 ! interface Tunnel1 bandwidth 100000 ip address 172.16.20.0 255.255.255.254 tunnel source Loopback1 tunnel destination 172.16.10.1 ! interface FastEthernet0/0 bandwidth 100000 ip address 10.8.8.0 255.255.255.254 duplex auto speed auto crypto map LAB-TEST ! router eigrp 1 passive-interface default no passive-interface Tunnel1 network 10.8.8.0 0.0.0.1 network 172.16.10.0 0.0.0.1 network 192.168.10.254 0.0.0.0 no auto-summary ! ip route 172.16.10.1 255.255.255.255 10.8.8.1 ! access-list 100 permit gre host 172.16.10.0 host 172.16.10.1 ! APA-LAB2620_RT01#sh crypto isakmp sa dst src state conn-id slot 10.8.8.1 10.8.8.0 QM_IDLE 8 0 APA-LAB2620_RT01#sh cry APA-LAB2620_RT01#sh crypto ipse APA-LAB2620_RT01#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: LAB-TEST, local addr. 10.8.8.0 protected vrf: local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.10.1/255.255.255.255/47/0) current_peer: 10.8.8.1:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 13774, #pkts encrypt: 13774, #pkts digest 13774 #pkts decaps: 13775, #pkts decrypt: 13775, #pkts verify 13775 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 9, #recv errors 0 local crypto endpt.: 10.8.8.0, remote crypto endpt.: 10.8.8.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 9FF974F5 inbound esp sas: spi: 0xD68D9FC5(3599605701) transform: esp-3des , in use settings ={Tunnel, } slot: 0, conn id: 2002, flow_id: 1, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4389663/83131) IV size: 8 bytes replay detection support: Y inbound ah sas: spi: 0x712D3754(1898788692) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4389663/83130) replay detection support: Y inbound pcp sas: outbound esp sas: spi: 0x9FF974F5(2683925749) transform: esp-3des , in use settings ={Tunnel, } slot: 0, conn id: 2003, flow_id: 2, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4389663/83130) IV size: 8 bytes replay detection support: Y outbound ah sas: spi: 0xCA3EE2D(212069933) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4389663/83129) replay detection support: Y outbound pcp sas: APA-LAB2620_RT01#Here is where I clear the SA counters... then show that the route to the host is via the GRE tunnel, which leads into the ICMP test and then viewing of the SA counters.APA-LAB2620_RT01#clear crypto sa counters APA-LAB2620_RT01#sh ip route 192.168.20.254 Routing entry for 192.168.20.254/32 Known via "eigrp 1", distance 90, metric 12953600, type internal Redistributing via eigrp 1 Last update from 172.16.20.1 on Tunnel1, 00:40:55 ago Routing Descriptor Blocks: * 172.16.20.1, from 172.16.20.1, 00:40:55 ago, via Tunnel1 Route metric is 12953600, traffic share count is 1 Total delay is 505000 microseconds, minimum bandwidth is 100000 Kbit Reliability 255/255, minimum MTU 1476 bytes Loading 1/255, Hops 1 APA-LAB2620_RT01#ping 192.168.20.254 repeat 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 192.168.20.254, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 12/12/16 ms APA-LAB2620_RT01#sh cry APA-LAB2620_RT01#sh crypto ipse APA-LAB2620_RT01#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: LAB-TEST, local addr. 10.8.8.0 protected vrf: local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.16.10.1/255.255.255.255/47/0) current_peer: 10.8.8.1:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 107, #pkts encrypt: 107, #pkts digest 107 #pkts decaps: 107, #pkts decrypt: 107, #pkts verify 107 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.8.8.0, remote crypto endpt.: 10.8.8.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 9FF974F5 inbound esp sas: spi: 0xD68D9FC5(3599605701) transform: esp-3des , in use settings ={Tunnel, } slot: 0, conn id: 2002, flow_id: 1, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4389642/83049) IV size: 8 bytes replay detection support: Y inbound ah sas: spi: 0x712D3754(1898788692) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4389642/83047) replay detection support: Y inbound pcp sas: outbound esp sas: spi: 0x9FF974F5(2683925749) transform: esp-3des , in use settings ={Tunnel, } slot: 0, conn id: 2003, flow_id: 2, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4389642/83047) IV size: 8 bytes replay detection support: Y outbound ah sas: spi: 0xCA3EE2D(212069933) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: LAB-TEST sa timing: remaining key lifetime (k/sec): (4389642/83046) replay detection support: Y outbound pcp sas: APA-LAB2620_RT01#
Hope this helps
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
jason_lunde
Member Posts: 567
so what does your topology and IP scheme look like here? Just wondering.
-
rakem
Member Posts: 800
Ok so finally got it working, but something strange i noticed, is the following;
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.1.1.2 192.168.90.2 QM_IDLE 1003 0 ACTIVE IPv6 Crypto ISAKMP SA R1#sh ip int bri Interface IP-Address OK? Method Status Protocol FastEthernet0/0 10.1.1.2 YES NVRAM up up FastEthernet0/1 unassigned YES NVRAM administratively down down Loopback200 192.168.200.1 YES NVRAM up up Tunnel0 172.18.1.2 YES manual up up R1# ! ! ! R6#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.1.1.2 192.168.90.2 QM_IDLE 1003 0 ACTIVE IPv6 Crypto ISAKMP SA R6# R6# R6#sh ip int bri Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.90.2 YES NVRAM up up FastEthernet0/1 unassigned YES NVRAM administratively down down Loopback1 1.1.1.1 YES NVRAM up up Loopback2 2.2.2.2 YES NVRAM up up Loopback100 100.100.100.1 YES NVRAM up up Tunnel0 172.18.1.1 YES manual up up R6#
Both routers are showing the same source IP..... wtf is with that?
R6 Config;crypto isakmp policy 20 encr aes authentication pre-share group 2 crypto isakmp key luca address 10.1.1.2 ! ! crypto ipsec transform-set LUCA esp-3des esp-sha-hmac mode transport ! crypto map LUCA 20 ipsec-isakmp set peer 10.1.1.2 set transform-set LUCA match address VPN_TRAFFIC ! ! interface Tunnel0 ip address 172.18.1.1 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 10.1.1.2 ! interface Loopback1 ip address 1.1.1.1 255.255.255.0 ! interface Loopback2 ip address 2.2.2.2 255.255.255.0 ! interface Loopback100 ip address 100.100.100.1 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.90.2 255.255.255.0 speed 100 full-duplex crypto map LUCA ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router eigrp 1 network 1.1.1.1 0.0.0.0 network 2.2.2.2 0.0.0.0 network 100.100.100.0 0.0.0.255 network 172.18.1.0 0.0.0.255 network 192.168.90.0 no auto-summary ! ip route 10.1.1.0 255.255.255.0 FastEthernet0/0 ! ip access-list extended VPN_TRAFFIC permit gre host 192.168.90.2 host 10.1.1.2
R1 Configcrypto isakmp policy 20 encr aes authentication pre-share group 2 crypto isakmp key luca address 192.168.90.2 ! ! crypto ipsec transform-set LUCA esp-3des esp-sha-hmac mode transport ! crypto map LUCA 20 ipsec-isakmp set peer 192.168.90.2 set transform-set LUCA match address VPN_TRAFFIC ! ! interface Tunnel0 ip address 172.18.1.2 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 192.168.90.2 ! interface Loopback200 ip address 192.168.200.1 255.255.255.0 ! interface FastEthernet0/0 ip address 10.1.1.2 255.255.255.0 duplex auto speed auto crypto map LUCA ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router eigrp 1 network 10.1.1.0 0.0.0.255 network 172.18.1.0 0.0.0.255 network 192.168.200.0 no auto-summary ! ip route 192.168.90.0 255.255.255.0 FastEthernet0/0 ! ip access-list standard subnets permit 10.60.0.0 permit 10.50.0.0 ! ip access-list extended VPN_TRAFFIC permit gre host 10.1.1.2 host 192.168.90.2
CCIE# 38186
showroute.net -
APA
Member Posts: 959
yeah confusing at first.... but remember the ISAKMP SA is bi-directional....
Hence we are seeing the one SA agreed upon, with the router that initiated the ISAKMP IKE process being identified by the SRC host field.
ISAKMP SA = Bidirectional
IPSEC SA = Uni-directional (Always a pair of SA's between VPN endpoints for each network that is to be protected)
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
SysAdmin4066
Member Posts: 443
And lets be careful with encryption versus encapsulation. GRE is encapsulation only, there is no encryption without IPSec.In Progress: CCIE R&S Written Scheduled July 17th (Tentative)
Next Up: CCIE R&S Lab -
ilcram19-2
Banned Posts: 436
i see what you are trying to do, but the only traffic what will be encrypted will be only the one specify by the ACL going over the tunnel and you dont need the deny on the ACL, but the gre tunnel still unprotected by ipsec so please do the following. you will need to create and ipsec profile to protect the tunnel with it so it will look something like this:
phase 1
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxx address x.x.x.x
Phase 2
crypto ipsec transform-set ipsec/gre esp-3des esp-md5-hmac
!
crypto ipsec profile ipsec/gre<----profile to protect tunnel interface with
set transform-set ipsec/gre
tunnel configuration
interface Tunnel99
ip address 10.1.100.2 255.255.255.252
tunnel source
local public ip or wan interface
tunnel destination --destination IP
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec/gre
do that both sides
Interface: Tunnel99
Session status: UP-ACTIVE
Peer: x.x.x.x port 500
IKE SA: local x.x.x.x/500 remote x.x.x.x/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0<---all encrypted in the gre tunnel
Active SAs: 2, origin: crypto map
Tunnel99 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.1.100.2/30
MTU 1514 bytes, BW 100000 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source x.x.x.x, destination x.x.x.x
Tunnel protocol/transport IPSEC/IP <----
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "ipsec/gre")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 159
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 449000 bits/sec, 29 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
990804 packets input, 321487722 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1393462 packets output, 501258273 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
that would work best that adding a crypto map to the tunnel interface
