RE: IPSEC and Tunneling

From: Justin Menga (Justin.Menga@xxxxxxxxxxxxxxxxxx)
Date: Thu May 17 2001 - 21:05:45 GMT-3

   
You control if traffic goes via the tunnel by your routes - you have EIGRP
configured, and as EIGRP multicasts out the tunnel, this is encapsulated in
a GRE packet and forwarded to the other end of the tunnel. In this way, the
two endpoints can talk EIGRP - the tunnel is a logical segment. When they
exchange routes, they will set the ip addresses of the tunnel interfaces as
next hops - thus when IP packets need to be routed, the next hop will be the
far end tunnel, which will invoke GRE encapsulation and transmission.

You can run the following to debug any GRE traffic:

access-list 150 permit gre any any
debug ip packet 150 detail

Regards,

Justin Menga CCIE #6640 CCNP+Voice+ATM CCDP MCSE+I CCSE
Network and Security Consultant
Computerland New Zealand
PO Box 3631, Auckland
DDI: (+64) 9 360 4864 Mobile: (+64) 25 349 599
mailto: justin.menga@computerland.co.nz
web: http://www.computerland.co.nz

CAUTION: This e-mail message and accompanying data may contain information
that is confidential and subject to privilege. If you are not the intended
recipient, you are notified that any use, dissemination, distribution or
copying of this message or data is prohibited. If you have received this
e-mail in error, please notify me immediately and delete all material
pertaining to this e-mail. Thank you.

-----Original Message-----
From: Jubil Mathew [mailto:jmathew@cisco.com]
Sent: Friday, 18 May 2001 11:16 a.m.
To: Tim O'Brien; jmathew@cisco.com
Cc: associate@groupstudy.com; ccielab@groupstudy.com
Subject: Re: IPSEC and Tunneling

>Hi TIM,

I tried out the config's you gave me. Those were pretty helpful. I still
have a doubt. I configured the Tunnel interfaces to have ip address and the
souce address were tied to the serial interfaces. I was not able to Ping
between the tunnel interfaces. How do i verify that the traffic goes
through the tunnel only. Is there any special debug commands or Is using an
traffic analyser a better solution. Could anyone help me out with this one.

Sorry for the trouble

Diagram:

3640-1-A (s0/0)
-----------------------WAN----------------------------------(s0/1) 3640-2

3640-1-A#sh run

hostname 3640-1-A
boot system
slot0:c3640-io3s56i-mz.1.0.11
enable password cisco

crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key test2 address
16.16.17.2
crypto isakmp key test2 address
16.16.20.2
crypto ipsec security-association lifetime seconds
86400
crypto ipsec transform-set desmd5 esp-des
esp-md5-hmac
crypto ipsec transform-set ahmd5
ah-md5-hmac

crypto map testtest 1 ipsec-isakmp
  set peer 16.16.17.2
  set peer 16.16.20.2
  set transform-set desmd5 ahmd5
  match address 102

interface Tunnel0
  ip address 130.10.10.1 255.255.255.0
  tunnel source Serial0/0
  tunnel destination 16.16.17.2
  crypto map testtest

interface Serial0/0
  ip address 16.16.18.2 255.255.255.0
  encapsulation frame-relay
  no ip route-cache
  no ip mroute-cache
  no fair-queue
  frame-relay interface-dlci 101
  frame-relay ip rtp header-compression
  crypto map testtest

router eigrp 1
  network 1.6.0.0 0.0.255.255
  network 16.16.0.0 0.0.255.255
  network 130.10.0.0
  distribute-list 20 out Serial0/0
  no auto-summary
  no eigrp log-neighbor-changes

access-list 102 permit gre host 16.16.18.2 host 16.16.17.2
log

gateway

end
**********************************************************
3640-2#sh run

hostname 3640-2
enable password cisco

crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key test2 address
16.16.20.2
crypto isakmp key test2 address
16.16.18.2
crypto ipsec security-association lifetime seconds
86400

crypto ipsec transform-set desmd5 esp-des
esp-md5-hmac
crypto ipsec transform-set ahmd5
ah-md5-hmac

crypto map testtest 1 ipsec-isakmp
  set peer 16.16.18.2
  set peer 16.16.20.2
  set transform-set desmd5 ahmd5
  match address 101

interface Tunnel0
  ip address 130.10.10.2 255.255.255.0
  tunnel source Serial0/1
  tunnel destination 16.16.18.2
  crypto map testtest

interface Serial0/1
  ip address 16.16.17.2 255.255.255.0
  encapsulation frame-relay
  no ip route-cache
  ip split-horizon
  no ip mroute-cache
  no fair-queue
  frame-relay interface-dlci 200
  crypto map testtest

router eigrp 1
  network 1.4.0.0 0.0.255.255
  network 1.7.0.0 0.0.255.255
  network 16.16.0.0 0.0.255.255
  network 140.10.0.0
  no auto-summary
  no eigrp log-neighbor-changes

access-list 101 permit gre host 16.16.17.2 host 16.16.18.2
log

end

**************************************************************

3640-1-A#ping 130.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 130.10.10.2, timeout is 2 seconds:

*Mar 1 01:30:32.867: IP: s=1.6.0.21 (local), d=224.0.0.2 (Ethernet0/0),
len 48, sending broad/multicast
*Mar 1 01:30:34.247: IP: s=16.16.18.1 (Serial0/0), d=224.0.0.10, len 60,
rcvd 2
*Mar 1 01:30:34.507: IP: s=16.16.18.2 (local), d=224.0.0.10 (Serial0/0),
len 60, sending broad/multicast
*Mar 1 01:30:34.679: IP: s=130.10.10.1 (local), d=130.10.10.2 (Tunnel0),
len 100, sending
*Mar 1 01:30:34.679: IP: s=16.16.18.2 (Tunnel0), d=16.16.17.2 (Serial0/0),
len 124, sending
*Mar 1 01:30:35.135: IP: s=1.6.0.90 (Ethernet0/0), d=2.0.0.3, len 48,
unroutable
*Mar 1 01:30:35.135: IP: s=1.6.0.21 (local), d=1.6.0.90 (Ethernet0/0), len
56, sending
*Mar 1 01:30:35.135: IP: s=1.6.0.90 (Ethernet0/0), d=2.0.0.3, len 48,
unroutable.
*Mar 1 01:30:35.299: IP: s=1.6.0.21 (local), d=224.0.0.10 (Ethernet0/0),
len 60, sending broad/multicast
*Mar 1 01:30:35.455: IP: s=130.10.10.1 (local), d=224.0.0.10 (Tunnel0),
len 60, sending broad/multicast
*Mar 1 01:30:35.455: IP: s=16.16.18.2 (Tunnel0), d=16.16.17.2 (Serial0/0),
len 84, sending
*Mar 1 01:30:35.459: IP: s=1.6.0.21 (local), d=224.0.0.2 (Ethernet0/0),
len 48, sending broad/multicast
*Mar 1 01:30:36.591: IP: s=1.6.0.90 (Ethernet0/0), d=2.0.0.3, len 48,
unroutable
*Mar 1 01:30:36.591: IP: s=1.6.0.21 (local), d=1.6.0.90 (Ethernet0/0), len
56, sending
*Mar 1 01:30:36.679: IP: s=130.10.10.1 (local), d=130.10.10.2 (Tunnel0),
len 100, sending
*Mar 1 01:30:36.679: IP: s=16.16.18.2 (Tunnel0), d=16.16.17.2 (Serial0/0),
len 124, sending.
*Mar 1 01:30:38.163: IP: s=1.6.0.21 (local), d=224.0.0.2 (Ethernet0/0),
len 48, sending broad/multicast
*Mar 1 01:30:38.679: IP: s=130.10.10.1 (local), d=130.10.10.2 (Tunnel0),
len 100, sending
*Mar 1 01:30:38.679: IP: s=16.16.18.2 (Tunnel0), d=16.16.17.2 (Serial0/0),
len 124, sending
*Mar 1 01:30:38.951: IP: s=1.6.0.90 (Ethernet0/0), d=172.19.173.35, len
56, unroutable
*Mar 1 01:30:38.951: IP: s=1.6.0.21 (local), d=1.6.0.90 (Ethernet0/0), len
56, sending
*Mar 1 01:30:38.951: IP: s=1.6.0.90 (Ethernet0/0), d=172.19.173.35, len
76, unroutable
*Mar 1 01:30:39.111: IP: s=16.16.18.2 (local), d=224.0.0.10 (Serial0/0),
len 60, sending broad/multicast.
*Mar 1 01:30:39.155: IP: s=16.16.18.1 (Serial0/0), d=224.0.0.10, len 60,
rcvd 2
*Mar 1 01:30:39.547: IP: s=1.6.0.90 (Ethernet0/0), d=2.0.0.3, len 48,
unroutable
*Mar 1 01:30:39.547: IP: s=1.6.0.21 (local), d=1.6.0.90 (Ethernet0/0), len
56, sending
*Mar 1 01:30:39.831: IP: s=130.10.10.1 (local), d=224.0.0.10 (Tunnel0),
len 60, sending broad/multicast
*Mar 1 01:30:39.831: IP: s=16.16.18.2 (Tunnel0), d=16.16.17.2 (Serial0/0),
len 84, sendingu a
Success rate is 0 percent (0/3)

********************************************************************
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:44 GMT-3