RE: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)

From: Jason T. Rohm (jtrohm@xxxxxxxxxxx)
Date: Mon Feb 05 2001 - 23:14:34 GMT-3

• Next message: Patrick Murphy: "Re: Lab day"
• Previous message: Chuck Larrieu: "RE: Practice Labs?"
• Maybe in reply to: Jason T. Rohm: "IPSec w/GRE or IPinIP Tunnels (Troubleshooting)"
• Next in thread: Jason T. Rohm: "RE: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Richard,

I'm confused... All traffic between both ends of the network *SHOULD* be GRE
encapsulated with 10.254.254.1/10.254.253.2 as the src/dst... Right?

I don't want to send encrypted data across the tunnel, I want to encrypt the
*whole* tunnel (including the GRE header).

Ideas?

-Jason

-----Original Message-----
From: Foltz [mailto:globalfx@netropolis.net]
Sent: Monday, February 05, 2001 7:57 PM
To: Jason T. Rohm
Cc: ccielab@groupstudy.com
Subject: Re: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)

you need to change the access list 106 on both routers to be tcp, or ip
instead of gre. The way you have it only gre encapsulated traffic will be
encrypted through the tunnel. if u change it from gre to tcp/ or ip then
trafffic to and from those hosts will be encrypted but no others will be.
Also, 11.3 has problem when u try to NAT and do IPSec at the same time, i
use 12.07T at work and have no problems doing NAT and IPSec.

Richard Foltz, CCNP-Voice, CCNP, CCDP, MCSE+I, Network+, A+
Attempt 2 @ Halifax 3/26-27

----- Original Message -----
From: "Jason T. Rohm" <jtrohm@athenet.net>
To: "'Kyle Galusha'" <kgalusha@cisco.com>
Cc: "CCIELIST (E-mail)" <ccielab@groupstudy.com>
Sent: Monday, February 05, 2001 7:07 PM
Subject: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)

> I am having some problems with my newly "IpSec'd" tunnel... Do you have
> experience working with these @#$% things?
>
> A "debug crypto ipsec" shows that *SOME* of my IPinIP/GRE (I've tried it
> both ways) packets are coming in w/o the IPSec wrapper. I have double
> checked my crypto maps/access-lists for accuracy, but am having a hard
time
> determining why only some of the data isn't getting encrypted (my OSPF
> packets are getting through just fine, but I can't ping or telnet).
>
> My lab is connected to the internet if you would like to take a look for
> yourself. Let me know if that would be helpful.
>
> Basic Layout:
>
> |-[3640B]--[other router]--[1605A]-|
> ^- IPinIP or GRE Tunnel -^
>
> OSPF AS 50 runs on center router and connected interfaces of end routers.
> OSPF AS 10 runs only on end routers' outside interfaces and the tunnel
> interface.
> No redistribution takes place between OSPF AS's.
>
> I show complete routing tables on both ends in OSPF AS 10.
> I can ping from either tunnel interface to the other end.
> I cannot ping the other end of the tunnel using the outside interfaces as
> the source.
>
> debug crypto ipsec:
>
> Feb 5 18:52:33.867: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
> IPSEC packet.
> (ip) dest_addr= 10.254.253.2, src_addr= 10.254.254.1, prot= 47
> Feb 5 18:56:47.816: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
> IPSEC packet.
> (ip) dest_addr= 10.254.253.2, src_addr= 10.254.254.1, prot= 47
>
> Code Summary:
>
> ****** 1605A ******
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key MYCRYPTOKEY address 10.254.254.1
> !
> !
> crypto ipsec transform-set ZERO_ONE esp-des esp-md5-hmac
> mode transport
> !
> crypto map ZERO_ONE_MAP 10 ipsec-isakmp
> set peer 10.254.254.1
> set transform-set ZERO_ONE
> set pfs group2
> match address 106
> !
> interface Tunnel0
> ip address 10.250.250.2 255.255.255.0
> tunnel source 10.254.253.2
> tunnel destination 10.254.254.1
> crypto map ZERO_ONE_MAP
> !
> interface Ethernet0
> ip address 10.254.253.2 255.255.255.0
> crypto map ZERO_ONE_MAP
> !
> interface Ethernet1
> ip address 10.1.10.1 255.255.255.0
> !
> router ospf 10
> network 10.1.10.0 0.0.0.255 area 1
> network 10.250.250.0 0.0.0.255 area 1
> !
> access-list 105 permit ipinip host 10.254.253.2 host 10.254.254.1
> access-list 105 permit ipinip host 10.254.254.1 host 10.254.253.2
> access-list 106 permit gre host 10.254.253.2 host 10.254.254.1
> access-list 106 permit gre host 10.254.254.1 host 10.254.253.2
> !
>
> ****** 3640B ******
>
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key MYCRYPTOKEY address 10.254.253.2
> !
> !
> crypto ipsec transform-set ZERO_ONE esp-des esp-md5-hmac
> mode transport
> !
> crypto map ZERO_ONE_MAP 10 ipsec-isakmp
> set peer 10.254.253.2
> set transform-set ZERO_ONE
> set pfs group2
> match address 106
> !
> interface Tunnel0
> ip address 10.250.250.1 255.255.255.0
> tunnel source 10.254.254.1
> tunnel destination 10.254.253.2
> crypto map ZERO_ONE_MAP
> !
> interface Ethernet0/0
> ip address 10.0.10.36 255.255.255.0
> !
> interface Ethernet0/1
> ip address 10.254.254.1 255.255.255.0
> crypto map ZERO_ONE_MAP
> !
> router ospf 10
> network 10.0.10.0 0.0.0.255 area 1
> network 10.250.250.0 0.0.0.255 area 1
> !
> access-list 105 permit ipinip host 10.254.253.2 host 10.254.254.1
> access-list 105 permit ipinip host 10.254.254.1 host 10.254.253.2
> access-list 106 permit gre host 10.254.253.2 host 10.254.254.1
> access-list 106 permit gre host 10.254.254.1 host 10.254.253.2
> !
>
> ***** End Code ******
>
> Thank you,
>
> Jason T. Rohm
> Sr. Network Engineer
> Wire Technologies, Inc
> jtrohm@wiretech-inc.com
> (920) 766-5172
>

• Next message: Patrick Murphy: "Re: Lab day"
• Previous message: Chuck Larrieu: "RE: Practice Labs?"
• Maybe in reply to: Jason T. Rohm: "IPSec w/GRE or IPinIP Tunnels (Troubleshooting)"
• Next in thread: Jason T. Rohm: "RE: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:37 GMT-3