From: Joe A (groupstudy@comcast.net)
Date: Thu Nov 21 2002 - 14:17:41 GMT-3
Don't think you are correct about the ACL; it's good the way it is.
Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Craig King
Sent: Thursday, November 21, 2002 9:43 AM
To: Hunt Lee; ccielab@groupstudy.com
Subject: Re: GRE on Cisco routers
The IPSec settings you have are not configured to affect any EIGRP
traffic. The EIGRP traffic leaving the Serial Interfaces will not be
sourced from a 172.16.0.0 network (but rather 10.64.10.x), so the crypto
policy ignores it. The routers are adjacent on 10.64.10.0, and have
EIGRP enabled on those interfaces, so they are forming valid neighbor
relationships as if IPSec was not there.
I would also look at ACL 101, it only flags traffic in 1 direction. The
ACL needs to flag traffic in both directions to instruct the crypto
policy what to encrypt and decrypt.
HTH,
CK
----- Original Message -----
From: "Hunt Lee" <ciscoforme3@yahoo.com.au>
To: <ccielab@groupstudy.com>
Sent: Thursday, November 21, 2002 8:39 AM
Subject: GRE on Cisco routers
> I have 2 questions:
>
>
> 1)
>
> IPSec
> 172.16.1.1/24 ----- RTA ============== RTB ------ 172.16.2.1/24
> | |
> 192.168.1.0/24 192.168.2.0/24
>
> Here are more info:-
>
> RTA's Serial0 (connecting to RTB) - 10.64.10.13/27
> RTB's Serial1 (connecting back to RTA) - 10.64.10.14/27
>
> Both RTA & RTA are running EIGRP.
>
> As per CCO, IPSec (without GRE) does not transfer routing protocols
> such
as EIGRP /
> OSPF etc. I have tested this on the above topology, but I can get the
EIGRP routes
> across from RTA to RTB & vice versa. What am I missing??
>
> And here are the configs:-
>
> And RTA:-
>
> crypto isakmp policy 15
> hash md5
> authentication pre-share
> !
> crypto isakmp key 1234a address 10.64.10.14
> !
> !
> crypto ipsec transform-set setOne esp-des esp-md5-hmac
> !
> crypto map combined local-address Serial1
> !
> crypto map combined 8 ipsec-isakmp
> set peer 10.64.10.14
> set transform-set setOne
> match address 101
> !
> !
> interface Loopback0
> ip address 192.168.1.1 255.255.255.0
> !
> !
> interface Serial0
> ip address 172.16.1.1 255.255.255.0
> no fair-queue
> !
> interface Serial1
> ip address 10.64.10.13 255.255.255.224
> no ip route-cache
> no ip mroute-cache
> clockrate 64000
> crypto map combined
> !
> router eigrp 1
> network 10.0.0.0
> network 172.16.1.0 0.0.0.255
> network 192.168.1.0
> no auto-summary
> !
> !
> access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
>
>
> RTB:-
>
> crypto isakmp policy 5
> hash md5
> authentication pre-share
> !
> !
> crypto isakmp key 1234a address 10.64.10.13
> !
> crypto ipsec transform-set setTwo esp-des esp-md5-hmac
> !
> crypto map combined local-address Serial0
> !
> crypto map combined 13 ipsec-isakmp
> set peer 10.64.10.13
> set transform-set setTwo
> match address 101
> !
> !
> interface Loopback0
> ip address 192.168.2.1 255.255.255.0
> !
> interface Ethernet0
> ip address 172.16.2.1 255.255.255.0
> !
> interface Serial0
> ip address 10.64.10.14 255.255.255.224
> no fair-queue
> crypto map combined
> !
> !
> router eigrp 1
> network 10.0.0.0
> network 172.16.2.0 0.0.0.255
> network 192.168.2.0
> no auto-summary
> no eigrp log-neighbor-changes
> !
> !
> access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
>
>
> *** So instead of getting the EIGRP routes via Tunnel 0 inteface, I'm
getting it via
> the outgoing interface (serial 0), & the IPSec still works. So what
> am I
missing,
> and how does it make a difference if I use GRE over IPSec? I also
> tested
RIPv2 &
> getting similar results.
>
> RTA#sh ip route
> Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B -
BGP
> D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
> N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
> E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
> i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
> inter
area
> * - candidate default, U - per-user static route, o - ODR
> P - periodic downloaded static route
>
> Gateway of last resort is not set
>
> 172.16.0.0/24 is subnetted, 2 subnets
> C 172.16.1.0 is directly connected, Serial0
> D 172.16.2.0 [90/2195456] via 10.64.10.14, 00:36:16, Serial1
> 10.0.0.0/27 is subnetted, 1 subnets
> C 10.64.10.0 is directly connected, Serial1
> C 192.168.1.0/24 is directly connected, Loopback0
> D 192.168.2.0/24 [90/2297856] via 10.64.10.14, 01:24:52, Serial1
> RTA#
>
> RTA#sh crypto engine connections act
>
> ID Interface IP-Address State Algorithm
Encrypt
Decrypt
> 1 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB
0
0
> 2000 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB
0
6
> 2001 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB
6
0
>
> RTA#
> --
>
>
> 2)
>
> Most configs / examples I found on CCO and books use:
>
> ccrypto ipsec transform-set setTwo esp-des
>
> so when would one use:
>
> ccrypto ipsec transform-set setTwo esp-des <mode transport> ??
>
> Or is it generally not needed / recommended to use the mode transport?
> If
anyone can
> give me some config e.g., that would be greatly appreciated.
>
>
> Thanks,
> HL
>
> http://www.yahoo.promo.com.au/hint/ - Yahoo! Hint Dropper
> - Avoid getting hideous gifts this Christmas with Yahoo! Hint Dropper!
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:08 GMT-3