Issue with IPSEC/GRE access-lists

4E65644E6564 Member Posts: 32 ■■□□□□□□□□
Hi,

I'm trying to lock down some access-lists on a router..

Two routers R1 and R2 -- endpoints for an IPSEC tunnel where the interesting traffic is GRE between the two routers (thus encrypt the GRE tunnel and everything inside the GRE tunnel).

Everything works great when I have access lists like the following (inbound on the interface connected to the far router)
On R2
permit esp R1 R2
permit udp R1 R2 eq isakmp
permit gre R1 R2


I was under the impression that I could get the list down to:
permit esp R1 R2
permit udp R1 R2 eq isakmp

If IPSEC is running in tunnel mode wouldn't it completely encapsulate the GRE? Making it not needed in access lists?


After I removed the permit gre statement I have intermittent problems. IE 2 pings will get back, instead of all 5...telnet sessions super slow etc ...Regardless if I have the statement in or out I can see the number of packets being ency/dec by IPSEC increasing (and faster when using ICMP).

I thought that MTU was an issue, so I decreased it to 1300 on both tunnel and physical interfaces.



I can post configs if need be, but I'm starting to think that I need to have the access-list statement in there?


Thanks

Comments

  • jeanathanjeanathan Member Posts: 163
    permit esp R1 R2
    permit udp R1 R2 eq isakmp
    permit gre R1 R2

    edit: Sorry title and seeing as one access-list confused me, I think I understand now. Btw, thanks for pushing my skill limit ;)

    found a suggestion on doing this kind of lockdown on this cisco config guide: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml

    IOS version 12.2 for this example, btw.
    access-list 100 permit udp any host 14.24.117.1 eq 500
    access-list 100 premit esp any host 14.24.117.1
    access-list 100 permit gre any host 14.24.117.1
    access-list 100 deny ip any any

    Applying that extended list 100 inbound on the outside interface fa0/0
    Struggling through the re-certification process after 2 years of no OJT for the CCNP.
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    jeanathan, the access list the OP posted is filtering inbound traffic, not specifying interesting traffic.

    4E6564, what IOS version are you running? Older ones would check IPSec traffic against the access list before and after decryption. Although in that case traffic should stop altogether, not just slow down. Posting the config would help.
  • 4E65644E6564 Member Posts: 32 ■■□□□□□□□□
    Quote:
    permit esp R1 R2
    Ok think about this. The access list defines what traffic is to be encrypted by the crypto map configuration on your router. So if you tell the crypto map to only encrypt traffic that is already encrypted by IPSec, hence the esp header/footer, then what purpose does that serve? I would be encrypting already encrypted traffic. So like wise if I tell the crypto map to encrypt only udp traffic, well gre uses udp, but so does tftp. The best way to do this then becomes nailing down the gre traffic and saying hay crypto map encrypt the gre traffic between these two ip address representing a particular tunnel. This way I can have say 10 gre tunnels being encrypted from router 1 destined to routers/endpoints 2 through 11.

    Here is an example: this is from R1HQ to Branch4; it does a GRE over IPSec tunnel to Branch4, which has a public ip of 193.1.1.10/30, the tunnel interface tun0 on Branch4 has an ip of 10.0.0.2/30 so you can see the access-list doesn't match tunnel ip addresses. My R1HQ has a serial interface with a public ip of 193.1.1.9/30
    Quote:
    #show access-list 101
    Extended IP access list 101
    10 permit gre host 193.1.1.9 host 193.1.1.10
    ...of course I tie this in under my crypto map config with match address 101.

    Note: this is from a contained gns3 lab, not a real network.


    Those aren't crypto map access lists. They are applied to the interfaces of the routers as specified above. They are ACLs being used to filter traffic coming into the routers.


    The crypto map statement is simply permit gre R1 R2 .... that is what defines the interesting traffic that will have IPSEC applied to it.
  • 4E65644E6564 Member Posts: 32 ■■□□□□□□□□
    There is a router as a hop in the middle...that is what the statics are pointing to.
    I specified R1 and R2 for simplicity in the previous, below you will notice it is R1 and R4
    Thanks,


    Version 12.3(4)T2,


    R1#show run
    
     
    [LEFT]Building configuration...
    
    Current configuration : 1987 bytes
    [LEFT]!
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$gscJ$ZXont316ohW3tX/eloZlK0
    !
    no aaa new-model
    ip subnet-zero
    !
    !
    !
    !
    ip ssh break-string
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 10
    authentication pre-share
    crypto isakmp key mykey address 172.16.0.4
    !
    !
    crypto ipsec transform-set TO_R4 esp-des esp-md5-hmac
    !
    crypto map VPNtoR4 10 ipsec-isakmp
    set peer 172.16.0.4
    set transform-set TO_R4
    match address 101
    !
    !
    !
    !
    !
    interface Tunnel1
    ip address 192.168.0.1 255.255.255.0
    tunnel source 10.0.0.1
    tunnel destination 172.16.0.4
    crypto map VPNtoR4
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.255
    !
    interface FastEthernet0/0
    ip address 10.0.0.1 255.255.255.0
    ip access-group FW in
    duplex auto
    speed auto
    crypto map VPNtoR4
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    !
    router eigrp 1
    passive-interface FastEthernet0/0
    passive-interface Loopback0
    network 1.1.1.1 0.0.0.0
    network 192.168.0.1 0.0.0.0
    no auto-summary
    !
    ip http server
    no ip http secure-server
    ip classless
    ip route 172.16.0.4 255.255.255.255 10.0.0.2
    !
    !
    !
    ip access-list extended FW
    permit esp host 172.16.0.4 host 10.0.0.1
    permit udp host 172.16.0.4 host 10.0.0.1 eq isakmp
    deny   ip any any
    ip access-list extended TEST
    permit icmp any any
     
    access-list 101 remark ENCRYPTGRE
    access-list 101 permit gre host 10.0.0.1 host 172.16.0.4
    access-list 199 permit icmp any any
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password cisco
    login
    transport input telnet
    line vty 5 1340
    password cisco
    login
    transport input telnet
    !
    !
    end[/LEFT]
    [/LEFT]
    
    




    R4#show run
    

     
    [LEFT]Building configuration...
    
    Current configuration : 1735 bytes
    [LEFT]!
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R4
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 10000 debugging
    !
    no aaa new-model
    ip subnet-zero
    !
    !
    no ip domain lookup
    !
    !
    ip ssh break-string
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 10
    authentication pre-share
    crypto isakmp key mykey address 10.0.0.1
    !
    !
    crypto ipsec transform-set TO_R1 esp-des esp-md5-hmac
    !
    crypto map VPNtoR1 10 ipsec-isakmp
    set peer 10.0.0.1
    set transform-set TO_R1
    match address 101
    !
    !
    !
    !
    !
    interface Tunnel1
    ip address 192.168.0.4 255.255.255.0
    tunnel source 172.16.0.4
    tunnel destination 10.0.0.1
    crypto map VPNtoR1
    !
    interface Loopback0
    ip address 4.4.4.4 255.255.255.255
    !
    interface FastEthernet0/0
    ip address 172.16.0.4 255.255.255.0
    ip access-group FW in
    duplex auto
    speed auto
    crypto map VPNtoR1
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    !
    router eigrp 1
    passive-interface FastEthernet0/0
    passive-interface Loopback0
    network 4.4.4.4 0.0.0.0
    network 192.168.0.4 0.0.0.0
    no auto-summary
    !
    ip http server
    no ip http secure-server
    ip classless
    ip route 10.0.0.1 255.255.255.255 172.16.0.2
    !
    !
    !
    ip access-list extended FW
    permit esp host 10.0.0.1 host 172.16.0.4
    permit udp host 10.0.0.1 host 172.16.0.4 eq isakmp
    deny   ip any any log
    access-list 101 remark ENCRYPTGRE
    access-list 101 permit gre host 172.16.0.4 host 10.0.0.1
    access-list 199 permit icmp any any
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    login
    !
    !
    end[/LEFT]
    [/LEFT]
    
    
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    Yep, before 12.3( 8 )T IPSec traffic was checked against the interface access list twice, so that's probably what you're running into.
  • 4E65644E6564 Member Posts: 32 ■■□□□□□□□□
    Thanks, man that was driving me crazy!
Sign In or Register to comment.