Issue with IPSEC/GRE access-lists
Hi,
I'm trying to lock down some access-lists on a router..
Two routers R1 and R2 -- endpoints for an IPSEC tunnel where the interesting traffic is GRE between the two routers (thus encrypt the GRE tunnel and everything inside the GRE tunnel).
Everything works great when I have access lists like the following (inbound on the interface connected to the far router)
On R2
permit esp R1 R2
permit udp R1 R2 eq isakmp
permit gre R1 R2
I was under the impression that I could get the list down to:
permit esp R1 R2
permit udp R1 R2 eq isakmp
If IPSEC is running in tunnel mode wouldn't it completely encapsulate the GRE? Making it not needed in access lists?
After I removed the permit gre statement I have intermittent problems. IE 2 pings will get back, instead of all 5...telnet sessions super slow etc ...Regardless if I have the statement in or out I can see the number of packets being ency/dec by IPSEC increasing (and faster when using ICMP).
I thought that MTU was an issue, so I decreased it to 1300 on both tunnel and physical interfaces.
I can post configs if need be, but I'm starting to think that I need to have the access-list statement in there?
Thanks
I'm trying to lock down some access-lists on a router..
Two routers R1 and R2 -- endpoints for an IPSEC tunnel where the interesting traffic is GRE between the two routers (thus encrypt the GRE tunnel and everything inside the GRE tunnel).
Everything works great when I have access lists like the following (inbound on the interface connected to the far router)
On R2
permit esp R1 R2
permit udp R1 R2 eq isakmp
permit gre R1 R2
I was under the impression that I could get the list down to:
permit esp R1 R2
permit udp R1 R2 eq isakmp
If IPSEC is running in tunnel mode wouldn't it completely encapsulate the GRE? Making it not needed in access lists?
After I removed the permit gre statement I have intermittent problems. IE 2 pings will get back, instead of all 5...telnet sessions super slow etc ...Regardless if I have the statement in or out I can see the number of packets being ency/dec by IPSEC increasing (and faster when using ICMP).
I thought that MTU was an issue, so I decreased it to 1300 on both tunnel and physical interfaces.
I can post configs if need be, but I'm starting to think that I need to have the access-list statement in there?
Thanks
Comments
-
jeanathan
Member Posts: 163
permit esp R1 R2
permit udp R1 R2 eq isakmp
permit gre R1 R2
edit: Sorry title and seeing as one access-list confused me, I think I understand now. Btw, thanks for pushing my skill limit
found a suggestion on doing this kind of lockdown on this cisco config guide: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml
IOS version 12.2 for this example, btw.access-list 100 permit udp any host 14.24.117.1 eq 500
access-list 100 premit esp any host 14.24.117.1
access-list 100 permit gre any host 14.24.117.1
access-list 100 deny ip any any
Applying that extended list 100 inbound on the outside interface fa0/0Struggling through the re-certification process after 2 years of no OJT for the CCNP. -
kalebksp
Member Posts: 1,033 ■■■■■□□□□□
jeanathan, the access list the OP posted is filtering inbound traffic, not specifying interesting traffic.
4E6564, what IOS version are you running? Older ones would check IPSec traffic against the access list before and after decryption. Although in that case traffic should stop altogether, not just slow down. Posting the config would help. -
4E6564
Member Posts: 32 ■■□□□□□□□□
Quote:
permit esp R1 R2
Ok think about this. The access list defines what traffic is to be encrypted by the crypto map configuration on your router. So if you tell the crypto map to only encrypt traffic that is already encrypted by IPSec, hence the esp header/footer, then what purpose does that serve? I would be encrypting already encrypted traffic. So like wise if I tell the crypto map to encrypt only udp traffic, well gre uses udp, but so does tftp. The best way to do this then becomes nailing down the gre traffic and saying hay crypto map encrypt the gre traffic between these two ip address representing a particular tunnel. This way I can have say 10 gre tunnels being encrypted from router 1 destined to routers/endpoints 2 through 11.
Here is an example: this is from R1HQ to Branch4; it does a GRE over IPSec tunnel to Branch4, which has a public ip of 193.1.1.10/30, the tunnel interface tun0 on Branch4 has an ip of 10.0.0.2/30 so you can see the access-list doesn't match tunnel ip addresses. My R1HQ has a serial interface with a public ip of 193.1.1.9/30
Quote:
#show access-list 101
Extended IP access list 101
10 permit gre host 193.1.1.9 host 193.1.1.10
...of course I tie this in under my crypto map config with match address 101.
Note: this is from a contained gns3 lab, not a real network.
Those aren't crypto map access lists. They are applied to the interfaces of the routers as specified above. They are ACLs being used to filter traffic coming into the routers.
The crypto map statement is simply permit gre R1 R2 .... that is what defines the interesting traffic that will have IPSEC applied to it. -
4E6564
Member Posts: 32 ■■□□□□□□□□
There is a router as a hop in the middle...that is what the statics are pointing to.
I specified R1 and R2 for simplicity in the previous, below you will notice it is R1 and R4Thanks,Version 12.3(4)T2,R1#show run
[LEFT]Building configuration... Current configuration : 1987 bytes [LEFT]! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! enable secret 5 $1$gscJ$ZXont316ohW3tX/eloZlK0 ! no aaa new-model ip subnet-zero ! ! ! ! ip ssh break-string ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key mykey address 172.16.0.4 ! ! crypto ipsec transform-set TO_R4 esp-des esp-md5-hmac ! crypto map VPNtoR4 10 ipsec-isakmp set peer 172.16.0.4 set transform-set TO_R4 match address 101 ! ! ! ! ! interface Tunnel1 ip address 192.168.0.1 255.255.255.0 tunnel source 10.0.0.1 tunnel destination 172.16.0.4 crypto map VPNtoR4 ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip access-group FW in duplex auto speed auto crypto map VPNtoR4 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ! router eigrp 1 passive-interface FastEthernet0/0 passive-interface Loopback0 network 1.1.1.1 0.0.0.0 network 192.168.0.1 0.0.0.0 no auto-summary ! ip http server no ip http secure-server ip classless ip route 172.16.0.4 255.255.255.255 10.0.0.2 ! ! ! ip access-list extended FW permit esp host 172.16.0.4 host 10.0.0.1 permit udp host 172.16.0.4 host 10.0.0.1 eq isakmp deny ip any any ip access-list extended TEST permit icmp any any access-list 101 remark ENCRYPTGRE access-list 101 permit gre host 10.0.0.1 host 172.16.0.4 access-list 199 permit icmp any any ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password cisco login transport input telnet line vty 5 1340 password cisco login transport input telnet ! ! end[/LEFT] [/LEFT]
R4#show run
[LEFT]Building configuration... Current configuration : 1735 bytes [LEFT]! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! logging buffered 10000 debugging ! no aaa new-model ip subnet-zero ! ! no ip domain lookup ! ! ip ssh break-string ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key mykey address 10.0.0.1 ! ! crypto ipsec transform-set TO_R1 esp-des esp-md5-hmac ! crypto map VPNtoR1 10 ipsec-isakmp set peer 10.0.0.1 set transform-set TO_R1 match address 101 ! ! ! ! ! interface Tunnel1 ip address 192.168.0.4 255.255.255.0 tunnel source 172.16.0.4 tunnel destination 10.0.0.1 crypto map VPNtoR1 ! interface Loopback0 ip address 4.4.4.4 255.255.255.255 ! interface FastEthernet0/0 ip address 172.16.0.4 255.255.255.0 ip access-group FW in duplex auto speed auto crypto map VPNtoR1 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ! router eigrp 1 passive-interface FastEthernet0/0 passive-interface Loopback0 network 4.4.4.4 0.0.0.0 network 192.168.0.4 0.0.0.0 no auto-summary ! ip http server no ip http secure-server ip classless ip route 10.0.0.1 255.255.255.255 172.16.0.2 ! ! ! ip access-list extended FW permit esp host 10.0.0.1 host 172.16.0.4 permit udp host 10.0.0.1 host 172.16.0.4 eq isakmp deny ip any any log access-list 101 remark ENCRYPTGRE access-list 101 permit gre host 172.16.0.4 host 10.0.0.1 access-list 199 permit icmp any any ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 login ! ! end[/LEFT] [/LEFT]
-
kalebksp
Member Posts: 1,033 ■■■■■□□□□□
Yep, before 12.3( 8 )T IPSec traffic was checked against the interface access list twice, so that's probably what you're running into.
