RE: GRE on Cisco routers

From: Hedi Abdelkafi (Hedi.Abdelk@simac.lu)
Date: Thu Nov 21 2002 - 12:17:14 GMT-3

• Next message: Yadav, Arvind K (CAP, GECIS): "RE: GRE on Cisco routers"
• Previous message: Richard Chung: "Re: Bootcamp lab2; OSPF cost"
• Maybe in reply to: Hunt Lee: "GRE on Cisco routers"
• Next in thread: Yadav, Arvind K (CAP, GECIS): "RE: GRE on Cisco routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

It's normal.
EIGRP updates are not encrypted (you cannot encrypt multicast traffic, only unicast can be encrypted !).
So EIGRP updates are sent is clear form accross the serial interface.
And the routes appears on the other side !!

I you want to encrypt EIGRP updates :
1. First, create a GRE tunnel.
2. use the network command to cover the subnet used in the tunnel.
3. remove the network command which cover the subnet (Serial) between RTA and RTB.

Here's an example that I done a long times ago (it works !!).

Configuration with IPSec - Shared Key
-------------------------------------
Network topology

Laptop---Eth---Madrid----PPP---HQ---PPP---Monaco---Eth---Cisco2600Monaco

In this config, we want to pass routing information in encrypted form between
Madrid and Monaco with a GRE tunnel.
We want a also to encrypt the remaining traffic (IP and IPX).

hostname HQ
!
ip subnet-zero
!
interface Ethernet0
 ip address 10.4.2.251 255.255.0.0
 no ip directed-broadcast
 no keepalive
!
interface Serial0
 ip address 192.168.2.1 255.255.255.0
 no ip directed-broadcast
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 clockrate 250000
!
interface Serial1
 ip address 192.168.1.1 255.255.255.0
 no ip directed-broadcast
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 clockrate 250000
!
ip classless

hostname Madrid
!
enable password cisco
!
ip subnet-zero
!
ip domain-name cisco.com
ip host Monaco 192.168.2.2
!
ipx routing 0001.4219.d201
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.2.2
!
crypto ipsec transform-set TRANSFORM-ROUTE esp-des esp-sha-hmac
 mode transport
crypto ipsec transform-set TRANSFORM-TRAFFIC esp-3des esp-sha-hmac
!
crypto map MONACO 1 ipsec-isakmp
 set peer 192.168.2.2
 set transform-set TRANSFORM-ROUTE
 match address 110
crypto map MONACO 10 ipsec-isakmp
 set peer 192.168.2.2
 set transform-set TRANSFORM-TRAFFIC
 set pfs group2
 match address 100
!
interface Tunnel0
 ip address 10.10.0.1 255.255.255.0
 ip mtu 1440
 ipx network 1
 tunnel source 192.168.1.2
 tunnel destination 192.168.2.2
 crypto map MONACO
!
interface Ethernet0/0
 ip address 10.2.2.251 255.255.0.0
 no ip route-cache
 no ip mroute-cache
 no keepalive
 half-duplex
 ntp broadcast
 ipx network 2
!
interface Serial0/0
 ip address 192.168.1.2 255.255.255.0
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 crypto map MONACO
!
router eigrp 1
 network 10.0.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
access-list 100 permit tcp 10.2.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 100 permit udp 10.2.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 100 permit icmp 10.2.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 100 permit tcp 10.2.0.0 0.0.255.255 host 192.168.2.2
access-list 100 permit tcp host 192.168.1.2 10.3.0.0 0.0.255.255
access-list 100 permit icmp host 192.168.1.2 10.3.0.0 0.0.255.255
access-list 110 permit gre host 192.168.1.2 host 192.168.2.2

hostname Monaco
!
enable password cisco
!
ip subnet-zero
!
ip domain-name cisco.com
ip host Madrid 192.168.1.2
!
ipx routing 0001.4236.0f61
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.1.2
!
crypto ipsec transform-set TRANSFORM-ROUTE esp-des esp-sha-hmac
 mode transport
crypto ipsec transform-set TRANSFORM-TRAFFIC esp-3des esp-sha-hmac
!
crypto map MADRID 1 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set TRANSFORM-ROUTE
 match address 110
crypto map MADRID 10 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set TRANSFORM-TRAFFIC
 set pfs group2
 match address 100
!
interface Tunnel0
 ip address 10.10.0.2 255.255.255.0
 ip mtu 1440
 ipx network 1
 tunnel source 192.168.2.2
 tunnel destination 192.168.1.2
 crypto map MADRID
!
interface Ethernet0/0
 ip address 10.3.2.251 255.255.0.0
 no keepalive
 half-duplex
 ipx network 3
!
interface Serial0/0
 ip address 192.168.2.2 255.255.255.0
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 crypto map MADRID
!
router eigrp 1
 network 10.0.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip http server
!
access-list 100 permit tcp 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 100 permit udp 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 100 permit icmp 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 100 permit tcp host 192.168.2.2 10.2.0.0 0.0.255.255
access-list 100 permit icmp host 192.168.2.2 10.2.0.0 0.0.255.255
access-list 110 permit gre host 192.168.2.2 host 192.168.1.2
!
ipx route 8D39E8B 3.1234.1111.1111
ipx sap 4 NETWARE6 8D39E8B.0000.0000.0003 451 2

Monaco#sh ip route
Gateway of last resort is 192.168.2.1 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.10.0.0/24 is directly connected, Tunnel0
D 10.2.0.0/16 [90/297270016] via 10.10.0.1, 01:01:29, Tunnel0
C 10.3.0.0/16 is directly connected, Ethernet0/0
     192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Serial0/0
C 192.168.2.1/32 is directly connected, Serial0/0
S* 0.0.0.0/0 [1/0] via 192.168.2.1

Monaco#sh ipx route
Codes: C - Connected primary network, c - Connected secondary network
       S - Static, F - Floating static, L - Local (internal), W - IPXWAN
       R - RIP, E - EIGRP, N - NLSP, X - External, A - Aggregate
       s - seconds, u - uses, U - Per-user static

4 Total IPX routes. Up to 1 parallel paths and 16 hops allowed.

No default route known.

C 1 (TUNNEL), Tu0
C 3 (NOVELL-ETHER), Et0/0
R 2 [151/01] via 1.0001.4219.d201, 52s, Tu0
S 8D39E8B via 3.1234.1111.1111, Et0/0

Madrid#sh ip route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.10.0.0/24 is directly connected, Tunnel0
C 10.2.0.0/16 is directly connected, Ethernet0/0
D 10.3.0.0/16 [90/297270016] via 10.10.0.2, 01:02:16, Tunnel0
     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.1/32 is directly connected, Serial0/0
C 192.168.1.0/24 is directly connected, Serial0/0
S* 0.0.0.0/0 [1/0] via 192.168.1.1

Madrid#sh ipx route
Codes: C - Connected primary network, c - Connected secondary network
       S - Static, F - Floating static, L - Local (internal), W - IPXWAN
       R - RIP, E - EIGRP, N - NLSP, X - External, A - Aggregate
       s - seconds, u - uses, U - Per-user static

4 Total IPX routes. Up to 1 parallel paths and 16 hops allowed.

No default route known.

C 1 (TUNNEL), Tu0
C 2 (NOVELL-ETHER), Et0/0
R 3 [151/01] via 1.0001.4236.0f61, 28s, Tu0
R 8D39E8B [151/02] via 1.0001.4236.0f61, 28s, Tu0

-----Original Message-----
From: Hunt Lee [mailto:ciscoforme3@yahoo.com.au]
Sent: jeudi 21 novembre 2002 14:40
To: ccielab@groupstudy.com
Subject: GRE on Cisco routers

I have 2 questions:

1)
                   
                            IPSec
172.16.1.1/24 ----- RTA ============== RTB ------ 172.16.2.1/24
                     | |
              192.168.1.0/24 192.168.2.0/24

Here are more info:-

RTA's Serial0 (connecting to RTB) - 10.64.10.13/27
RTB's Serial1 (connecting back to RTA) - 10.64.10.14/27

Both RTA & RTA are running EIGRP.

As per CCO, IPSec (without GRE) does not transfer routing protocols such as EIGRP /
OSPF etc. I have tested this on the above topology, but I can get the EIGRP routes
across from RTA to RTB & vice versa. What am I missing??

And here are the configs:-

And RTA:-

crypto isakmp policy 15
 hash md5
 authentication pre-share
!
crypto isakmp key 1234a address 10.64.10.14
!
!
crypto ipsec transform-set setOne esp-des esp-md5-hmac
!
crypto map combined local-address Serial1
!
crypto map combined 8 ipsec-isakmp
 set peer 10.64.10.14
 set transform-set setOne
 match address 101
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
!
interface Serial0
 ip address 172.16.1.1 255.255.255.0
 no fair-queue
!
interface Serial1
 ip address 10.64.10.13 255.255.255.224
 no ip route-cache
 no ip mroute-cache
 clockrate 64000
 crypto map combined
!
router eigrp 1
 network 10.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.1.0
 no auto-summary
!
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

RTB:-

crypto isakmp policy 5
 hash md5
 authentication pre-share
!
!
crypto isakmp key 1234a address 10.64.10.13
!
crypto ipsec transform-set setTwo esp-des esp-md5-hmac
!
crypto map combined local-address Serial0
!
crypto map combined 13 ipsec-isakmp
 set peer 10.64.10.13
 set transform-set setTwo
 match address 101
!
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0
 ip address 172.16.2.1 255.255.255.0
!
interface Serial0
 ip address 10.64.10.14 255.255.255.224
 no fair-queue
 crypto map combined
!
!
router eigrp 1
 network 10.0.0.0
 network 172.16.2.0 0.0.0.255
 network 192.168.2.0
 no auto-summary
 no eigrp log-neighbor-changes
!
!
access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

*** So instead of getting the EIGRP routes via Tunnel 0 inteface, I'm getting it via
the outgoing interface (serial 0), & the IPSec still works. So what am I missing,
and how does it make a difference if I use GRE over IPSec? I also tested RIPv2 &
getting similar results.

RTA#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 2 subnets
C 172.16.1.0 is directly connected, Serial0
D 172.16.2.0 [90/2195456] via 10.64.10.14, 00:36:16, Serial1
     10.0.0.0/27 is subnetted, 1 subnets
C 10.64.10.0 is directly connected, Serial1
C 192.168.1.0/24 is directly connected, Loopback0
D 192.168.2.0/24 [90/2297856] via 10.64.10.14, 01:24:52, Serial1
RTA#

RTA#sh crypto engine connections act

  ID Interface IP-Address State Algorithm Encrypt Decrypt
   1 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 0 0
2000 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 0 6
2001 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 6 0

RTA#

--
2)  
Most configs / examples I found on CCO and books use:
ccrypto ipsec transform-set setTwo esp-des 
so when would one use:
ccrypto ipsec transform-set setTwo esp-des <mode transport>  ??
Or is it generally not needed / recommended to use the mode transport? If anyone can
give me some config e.g., that would be greatly appreciated.
Thanks,
HL
http://www.yahoo.promo.com.au/hint/ - Yahoo! Hint Dropper
- Avoid getting hideous gifts this Christmas with Yahoo! Hint Dropper!

• Next message: Yadav, Arvind K (CAP, GECIS): "RE: GRE on Cisco routers"
• Previous message: Richard Chung: "Re: Bootcamp lab2; OSPF cost"
• Maybe in reply to: Hunt Lee: "GRE on Cisco routers"
• Next in thread: Yadav, Arvind K (CAP, GECIS): "RE: GRE on Cisco routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:08 GMT-3