From: Larson, Chris (CLarson@usaid.gov)
Date: Thu Nov 21 2002 - 13:33:29 GMT-3
Can you not simply make EIGRP use unicast with the neighbor command and
encrypt the unicast updates?
> -----Original Message-----
> From: Yadav, Arvind K (CAP, GECIS) [SMTP:Arvind.Yadav@gecis.ge.com]
> Sent: Thursday, November 21, 2002 10:31 AM
> To: 'Hunt Lee'; ccielab@groupstudy.com
> Subject: RE: GRE on Cisco routers
>
> Lee
>
> Actually in this scenario EIGPR update are not getting encrypted because
> only traffic matches to ACL 101 gets encrypted. Cisco recommends to use
> GRE tunnel over IPSEC if you want
> the routing update over the encryption tunnel
>
> Regards
> Arvind
>
> -----Original Message-----
> From: Hunt Lee [mailto:ciscoforme3@yahoo.com.au]
> Sent: Thursday, November 21, 2002 7:10 PM
> To: ccielab@groupstudy.com
> Subject: GRE on Cisco routers
>
>
> I have 2 questions:
>
>
> 1)
>
> IPSec
> 172.16.1.1/24 ----- RTA ============== RTB ------ 172.16.2.1/24
> | |
> 192.168.1.0/24 192.168.2.0/24
>
> Here are more info:-
>
> RTA's Serial0 (connecting to RTB) - 10.64.10.13/27
> RTB's Serial1 (connecting back to RTA) - 10.64.10.14/27
>
> Both RTA & RTA are running EIGRP.
>
> As per CCO, IPSec (without GRE) does not transfer routing protocols such
> as EIGRP /
> OSPF etc. I have tested this on the above topology, but I can get the
> EIGRP routes
> across from RTA to RTB & vice versa. What am I missing??
>
> And here are the configs:-
>
> And RTA:-
>
> crypto isakmp policy 15
> hash md5
> authentication pre-share
> !
> crypto isakmp key 1234a address 10.64.10.14
> !
> !
> crypto ipsec transform-set setOne esp-des esp-md5-hmac
> !
> crypto map combined local-address Serial1
> !
> crypto map combined 8 ipsec-isakmp
> set peer 10.64.10.14
> set transform-set setOne
> match address 101
> !
> !
> interface Loopback0
> ip address 192.168.1.1 255.255.255.0
> !
> !
> interface Serial0
> ip address 172.16.1.1 255.255.255.0
> no fair-queue
> !
> interface Serial1
> ip address 10.64.10.13 255.255.255.224
> no ip route-cache
> no ip mroute-cache
> clockrate 64000
> crypto map combined
> !
> router eigrp 1
> network 10.0.0.0
> network 172.16.1.0 0.0.0.255
> network 192.168.1.0
> no auto-summary
> !
> !
> access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
>
>
> RTB:-
>
> crypto isakmp policy 5
> hash md5
> authentication pre-share
> !
> !
> crypto isakmp key 1234a address 10.64.10.13
> !
> crypto ipsec transform-set setTwo esp-des esp-md5-hmac
> !
> crypto map combined local-address Serial0
> !
> crypto map combined 13 ipsec-isakmp
> set peer 10.64.10.13
> set transform-set setTwo
> match address 101
> !
> !
> interface Loopback0
> ip address 192.168.2.1 255.255.255.0
> !
> interface Ethernet0
> ip address 172.16.2.1 255.255.255.0
> !
> interface Serial0
> ip address 10.64.10.14 255.255.255.224
> no fair-queue
> crypto map combined
> !
> !
> router eigrp 1
> network 10.0.0.0
> network 172.16.2.0 0.0.0.255
> network 192.168.2.0
> no auto-summary
> no eigrp log-neighbor-changes
> !
> !
> access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
>
>
> *** So instead of getting the EIGRP routes via Tunnel 0 inteface, I'm
> getting it via
> the outgoing interface (serial 0), & the IPSec still works. So what am I
> missing,
> and how does it make a difference if I use GRE over IPSec? I also tested
> RIPv2 &
> getting similar results.
>
> RTA#sh ip route
> Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
> D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
> N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
> E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
> i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
> area
> * - candidate default, U - per-user static route, o - ODR
> P - periodic downloaded static route
>
> Gateway of last resort is not set
>
> 172.16.0.0/24 is subnetted, 2 subnets
> C 172.16.1.0 is directly connected, Serial0
> D 172.16.2.0 [90/2195456] via 10.64.10.14, 00:36:16, Serial1
> 10.0.0.0/27 is subnetted, 1 subnets
> C 10.64.10.0 is directly connected, Serial1
> C 192.168.1.0/24 is directly connected, Loopback0
> D 192.168.2.0/24 [90/2297856] via 10.64.10.14, 01:24:52, Serial1
> RTA#
>
> RTA#sh crypto engine connections act
>
> ID Interface IP-Address State Algorithm Encrypt
> Decrypt
> 1 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 0
> 0
> 2000 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 0
> 6
> 2001 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 6
> 0
>
> RTA#
> --
>
>
> 2)
>
> Most configs / examples I found on CCO and books use:
>
> ccrypto ipsec transform-set setTwo esp-des
>
> so when would one use:
>
> ccrypto ipsec transform-set setTwo esp-des <mode transport> ??
>
> Or is it generally not needed / recommended to use the mode transport? If
> anyone can
> give me some config e.g., that would be greatly appreciated.
>
>
> Thanks,
> HL
>
> http://www.yahoo.promo.com.au/hint/ - Yahoo! Hint Dropper
> - Avoid getting hideous gifts this Christmas with Yahoo! Hint Dropper!
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:08 GMT-3