Issue with IPSEC/GRE access-lists

Hi,

I'm trying to lock down some access-lists on a router..

Two routers R1 and R2 -- endpoints for an IPSEC tunnel where the interesting traffic is GRE between the two routers (thus encrypt the GRE tunnel and everything inside the GRE tunnel).

Everything works great when I have access lists like the following (inbound on the interface connected to the far router)
On R2
permit esp R1 R2
permit udp R1 R2 eq isakmp
permit gre R1 R2

I was under the impression that I could get the list down to:
permit esp R1 R2
permit udp R1 R2 eq isakmp

If IPSEC is running in tunnel mode wouldn't it completely encapsulate the GRE? Making it not needed in access lists?

After I removed the permit gre statement I have intermittent problems. IE 2 pings will get back, instead of all 5...telnet sessions super slow etc ...Regardless if I have the statement in or out I can see the number of packets being ency/dec by IPSEC increasing (and faster when using ICMP).

I thought that MTU was an issue, so I decreased it to 1300 on both tunnel and physical interfaces.

I can post configs if need be, but I'm starting to think that I need to have the access-list statement in there?

Thanks

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

jeanathan

permit esp R1 R2
permit udp R1 R2 eq isakmp
permit gre R1 R2

edit: Sorry title and seeing as one access-list confused me, I think I understand now. Btw, thanks for pushing my skill limit

found a suggestion on doing this kind of lockdown on this cisco config guide: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml

IOS version 12.2 for this example, btw.

access-list 100 permit udp any host 14.24.117.1 eq 500
access-list 100 premit esp any host 14.24.117.1
access-list 100 permit gre any host 14.24.117.1
access-list 100 deny ip any any

Applying that extended list 100 inbound on the outside interface fa0/0

kalebksp

jeanathan, the access list the OP posted is filtering inbound traffic, not specifying interesting traffic.

4E6564, what IOS version are you running? Older ones would check IPSec traffic against the access list before and after decryption. Although in that case traffic should stop altogether, not just slow down. Posting the config would help.

4E6564

Quote:
permit esp R1 R2
Ok think about this. The access list defines what traffic is to be encrypted by the crypto map configuration on your router. So if you tell the crypto map to only encrypt traffic that is already encrypted by IPSec, hence the esp header/footer, then what purpose does that serve? I would be encrypting already encrypted traffic. So like wise if I tell the crypto map to encrypt only udp traffic, well gre uses udp, but so does tftp. The best way to do this then becomes nailing down the gre traffic and saying hay crypto map encrypt the gre traffic between these two ip address representing a particular tunnel. This way I can have say 10 gre tunnels being encrypted from router 1 destined to routers/endpoints 2 through 11.

Here is an example: this is from R1HQ to Branch4; it does a GRE over IPSec tunnel to Branch4, which has a public ip of 193.1.1.10/30, the tunnel interface tun0 on Branch4 has an ip of 10.0.0.2/30 so you can see the access-list doesn't match tunnel ip addresses. My R1HQ has a serial interface with a public ip of 193.1.1.9/30
Quote:
#show access-list 101
Extended IP access list 101
10 permit gre host 193.1.1.9 host 193.1.1.10
...of course I tie this in under my crypto map config with match address 101.

Note: this is from a contained gns3 lab, not a real network.

Those aren't crypto map access lists. They are applied to the interfaces of the routers as specified above. They are ACLs being used to filter traffic coming into the routers.

The crypto map statement is simply permit gre R1 R2 .... that is what defines the interesting traffic that will have IPSEC applied to it.

4E6564

There is a router as a hop in the middle...that is what the statics are pointing to.
I specified R1 and R2 for simplicity in the previous, below you will notice it is R1 and R4

Thanks,

Version 12.3(4)T2,

R1#show run

 
[LEFT]Building configuration...

Current configuration : 1987 bytes
[LEFT]!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gscJ$ZXont316ohW3tX/eloZlK0
!
no aaa new-model
ip subnet-zero
!
!
!
!
ip ssh break-string
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key mykey address 172.16.0.4
!
!
crypto ipsec transform-set TO_R4 esp-des esp-md5-hmac
!
crypto map VPNtoR4 10 ipsec-isakmp
set peer 172.16.0.4
set transform-set TO_R4
match address 101
!
!
!
!
!
interface Tunnel1
ip address 192.168.0.1 255.255.255.0
tunnel source 10.0.0.1
tunnel destination 172.16.0.4
crypto map VPNtoR4
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip access-group FW in
duplex auto
speed auto
crypto map VPNtoR4
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
router eigrp 1
passive-interface FastEthernet0/0
passive-interface Loopback0
network 1.1.1.1 0.0.0.0
network 192.168.0.1 0.0.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 172.16.0.4 255.255.255.255 10.0.0.2
!
!
!
ip access-list extended FW
permit esp host 172.16.0.4 host 10.0.0.1
permit udp host 172.16.0.4 host 10.0.0.1 eq isakmp
deny   ip any any
ip access-list extended TEST
permit icmp any any
 
access-list 101 remark ENCRYPTGRE
access-list 101 permit gre host 10.0.0.1 host 172.16.0.4
access-list 199 permit icmp any any
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
transport input telnet
line vty 5 1340
password cisco
login
transport input telnet
!
!
end[/LEFT]
[/LEFT]

R4#show run

 
[LEFT]Building configuration...

Current configuration : 1735 bytes
[LEFT]!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
logging buffered 10000 debugging
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
!
ip ssh break-string
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key mykey address 10.0.0.1
!
!
crypto ipsec transform-set TO_R1 esp-des esp-md5-hmac
!
crypto map VPNtoR1 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set TO_R1
match address 101
!
!
!
!
!
interface Tunnel1
ip address 192.168.0.4 255.255.255.0
tunnel source 172.16.0.4
tunnel destination 10.0.0.1
crypto map VPNtoR1
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.0.4 255.255.255.0
ip access-group FW in
duplex auto
speed auto
crypto map VPNtoR1
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
router eigrp 1
passive-interface FastEthernet0/0
passive-interface Loopback0
network 4.4.4.4 0.0.0.0
network 192.168.0.4 0.0.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 10.0.0.1 255.255.255.255 172.16.0.2
!
!
!
ip access-list extended FW
permit esp host 10.0.0.1 host 172.16.0.4
permit udp host 10.0.0.1 host 172.16.0.4 eq isakmp
deny   ip any any log
access-list 101 remark ENCRYPTGRE
access-list 101 permit gre host 172.16.0.4 host 10.0.0.1
access-list 199 permit icmp any any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end[/LEFT]
[/LEFT]

kalebksp

Yep, before 12.3( 8 )T IPSec traffic was checked against the interface access list twice, so that's probably what you're running into.

4E6564

Thanks, man that was driving me crazy!