Re: Routing across IPSec tunnel

From: Rob Hopkins (rshopkins@xxxxxxxxxxxxx)
Date: Thu May 03 2001 - 19:26:41 GMT-3

• Next message: Mas Kato: "RE: IP Default-Network/IP Subnet-Zero Exploit--or old news?"
• Previous message: Rob Hopkins: "Re: set MEDs on BGP"
• Maybe in reply to: Walter Chen: "Routing across IPSec tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
if you set your GRE tunnel as interesting in your crytpo map, then the
tunnel will only be up while
ipsec is up, of course tweak your access lists to lock down access from
non-tunnel traffic...

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 lifetime 86399
crypto isakmp key funkypassword address a.a.a.a
!
!
crypto ipsec transform-set wackytrans1 ah-sha-hmac esp-3des
!
crypto map wackymap1 10 ipsec-isakmp
 set peer a.a.a.a
 set transform-set wackytrans1
 match address 133
!
cns event-service server
!
!
!
interface Tunnel199
 description Tunnel
 ip address 10.10.199.2 255.255.255.252
 tunnel source b.b.b.b
 tunnel destination a.a.a.a
 crypto map wackymap1
!
interface Serial0
 no ip address
 encapsulation frame-relay
 frame-relay lmi-type ansi
 crypto map wackymap1
!
interface Serial0.1 point-to-point
 description connected to Internet
  ip address b.b.b.b 255.255.255.248
 ip access-group 144 in
 ip nat outside
 frame-relay interface-dlci 101 IETF
 crypto map wackymap1
!

!
access-list 133 permit gre host b.b.b.b host a.a.a.a

----- Original Message -----
From: "Walter Chen" <wchen@iloka.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, May 03, 2001 11:09 AM
Subject: Routing across IPSec tunnel

> Anyone can tell how to enable routing across IPSec tunnel?
>
> The basic problem is that when an IPSec tunnel is created
> using the public IPs on both ends, a routing protocol, say,
> EIGRP, does not know how to route across that tunnel, since
> it does not see any interface associated with the remote
> private ip network (the IPSec SA has the info but EIGRP
> could not see it). While one can ping the remote private
> address, there is no route showing up in the routing table.
>
> One way to get around this is to create a GRE tunnel across
> the public IP, and assign the tunnel interface a private IP.
> In this case, the routing does go through. This solution
> has its own problem, however, because the static GRE tunnel
> will connect the remote private networks even when NO IPSec
> tunnel exists or after the SA expires and so no traffic will
> be encrypted.
>
> Any ideas? Thanks!!
>
> Walter
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Mas Kato: "RE: IP Default-Network/IP Subnet-Zero Exploit--or old news?"
• Previous message: Rob Hopkins: "Re: set MEDs on BGP"
• Maybe in reply to: Walter Chen: "Routing across IPSec tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:33 GMT-3