IPSec GRE tunnels & interesting traffic

rakemrakem Member Posts: 800
Something has just come to my attention while studying GRE tunnels. Here is the config that SDM has generated from one side of my tunnel (minus irrelevant info)

R1#sh run
Building configuration...

Current configuration : 3695 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key luca address 192.168.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to192.168.1.2
set peer 192.168.1.2
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
!
interface Loopback10
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1420
tunnel source Serial1/0
tunnel destination 192.168.1.2
tunnel path-mtu-discovery
crypto map SDM_CMAP_1
!
interface FastEthernet0/0
ip address 4.4.4.11 255.255.255.0
duplex full
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.0
serial restart-delay 0
crypto map SDM_CMAP_1
!
interface Serial1/1
ip address 10.1.1.1 255.255.255.0
serial restart-delay 0
!

router eigrp 10
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
no ip http server
ip http secure-server
!
!
!
logging alarm informational
access-list 100 remark SDM_ACL Category=4
access-list 100 permit gre host 192.168.1.1 host 192.168.1.2
!
!
!
!
!
!

end

R1#

One thing i have noticed is that the only interesting traffic specified in the access-list is gre from 192.1681.1 to 192.168.1.2. Does this mean that traffic from my other networks e.g 10.1.1.0 is not being sent across the IPSec tunnel?

ALSO

I have just been mucking around a bit, and i'm having trouble establishing the tunnel again after i use the command 'clear crypto isakamp' here is my output:

So here we see i have a working IPsec tunnel:
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.1 192.168.1.2 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA


I enter in the clear command:
clear crypto isakmp

then get this:
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.1 192.168.1.2 MM_NO_STATE 1001 0 ACTIVE (deleted)

Ok so its been deleted. Now i would assume that something like a routing reconfiguration (since this is a GRE tunnel) or maybe a ping between networks or something similar would re-establish the tunnel? Well it doesn't.

I have shutdown the tunnel interface and the serial1/0 interface but the IPSec tunnel does not come back up. I have ran 'clear ip eigrp nei' but that does not bring the tunnel back up either.

The only way that the tunnel gets re-established is to reload the router. So i guess im missing something....

can anyone explain to me whats going on here? Cheers.
CCIE# 38186
showroute.net

Comments

  • lildeezullildeezul Member Posts: 404
    With that access-list, everthing gets encrypted.. Becuase it is taking packets and applying Gre headers to them, and since it comes from the tunnel source x.x.x.x, everything will get secured...


    have you done cleared both routers or just one ?
    NHSCA National All-American Wrestler 135lb
  • rakemrakem Member Posts: 800
    lildeezul wrote: »
    With that access-list, everthing gets encrypted.. Becuase it is taking packets and applying Gre headers to them, and since it comes from the tunnel source x.x.x.x, everything will get secured...


    have you done cleared both routers or just one ?


    I just did one side.... i ended up doing both sides a bit later and i think it came back up. it as late haha.
    CCIE# 38186
    showroute.net
Sign In or Register to comment.