RE: GRE on Cisco routers

From: Joe A (groupstudy@comcast.net)
Date: Thu Nov 21 2002 - 14:19:39 GMT-3

• Next message: Karl Brusen: "ISDN: One or Two Dial Strings"
• Previous message: Joe A: "RE: GRE on Cisco routers"
• Maybe in reply to: Hunt Lee: "GRE on Cisco routers"
• Next in thread: Hunt Lee: "RE: GRE on Cisco routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Put another router between RTA and RTB, with no dynamic routing protocol
(use static routes to bring up IPSec tunnel) and you will see that the
EIGRP neighbors don't establish. Then add a GRE tunnel and you'll see
how it works.

Joe

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Yadav, Arvind K (CAP, GECIS)
Sent: Thursday, November 21, 2002 10:31 AM
To: 'Hunt Lee'; ccielab@groupstudy.com
Subject: RE: GRE on Cisco routers

Lee

Actually in this scenario EIGPR update are not getting encrypted because
only traffic matches to ACL 101 gets encrypted. Cisco recommends to use
GRE tunnel over IPSEC if you want the routing update over the encryption
tunnel

Regards
Arvind

-----Original Message-----
From: Hunt Lee [mailto:ciscoforme3@yahoo.com.au]
Sent: Thursday, November 21, 2002 7:10 PM
To: ccielab@groupstudy.com
Subject: GRE on Cisco routers

I have 2 questions:

1)
                   
                            IPSec
172.16.1.1/24 ----- RTA ============== RTB ------ 172.16.2.1/24
                     | |
              192.168.1.0/24 192.168.2.0/24

Here are more info:-

RTA's Serial0 (connecting to RTB) - 10.64.10.13/27
RTB's Serial1 (connecting back to RTA) - 10.64.10.14/27

Both RTA & RTA are running EIGRP.

As per CCO, IPSec (without GRE) does not transfer routing protocols such
as EIGRP / OSPF etc. I have tested this on the above topology, but I
can get the EIGRP routes across from RTA to RTB & vice versa. What am I
missing??

And here are the configs:-

And RTA:-

crypto isakmp policy 15
 hash md5
 authentication pre-share
!
crypto isakmp key 1234a address 10.64.10.14
!
!
crypto ipsec transform-set setOne esp-des esp-md5-hmac
!
crypto map combined local-address Serial1
!
crypto map combined 8 ipsec-isakmp
 set peer 10.64.10.14
 set transform-set setOne
 match address 101
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
!
interface Serial0
 ip address 172.16.1.1 255.255.255.0
 no fair-queue
!
interface Serial1
 ip address 10.64.10.13 255.255.255.224
 no ip route-cache
 no ip mroute-cache
 clockrate 64000
 crypto map combined
!
router eigrp 1
 network 10.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.1.0
 no auto-summary
!
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

RTB:-

crypto isakmp policy 5
 hash md5
 authentication pre-share
!
!
crypto isakmp key 1234a address 10.64.10.13
!
crypto ipsec transform-set setTwo esp-des esp-md5-hmac
!
crypto map combined local-address Serial0
!
crypto map combined 13 ipsec-isakmp
 set peer 10.64.10.13
 set transform-set setTwo
 match address 101
!
!
interface Loopback0
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0
 ip address 172.16.2.1 255.255.255.0
!
interface Serial0
 ip address 10.64.10.14 255.255.255.224
 no fair-queue
 crypto map combined
!
!
router eigrp 1
 network 10.0.0.0
 network 172.16.2.0 0.0.0.255
 network 192.168.2.0
 no auto-summary
 no eigrp log-neighbor-changes
!
!
access-list 101 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

*** So instead of getting the EIGRP routes via Tunnel 0 inteface, I'm
getting it via the outgoing interface (serial 0), & the IPSec still
works. So what am I missing, and how does it make a difference if I use
GRE over IPSec? I also tested RIPv2 & getting similar results.

RTA#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 2 subnets
C 172.16.1.0 is directly connected, Serial0
D 172.16.2.0 [90/2195456] via 10.64.10.14, 00:36:16, Serial1
     10.0.0.0/27 is subnetted, 1 subnets
C 10.64.10.0 is directly connected, Serial1
C 192.168.1.0/24 is directly connected, Loopback0
D 192.168.2.0/24 [90/2297856] via 10.64.10.14, 01:24:52, Serial1
RTA#

RTA#sh crypto engine connections act

  ID Interface IP-Address State Algorithm Encrypt
Decrypt
   1 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 0
0
2000 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 0
6
2001 Serial1 10.64.10.13 set HMAC_MD5+DES_56_CB 6
0

RTA#

--
2)  
Most configs / examples I found on CCO and books use:
ccrypto ipsec transform-set setTwo esp-des 
so when would one use:
ccrypto ipsec transform-set setTwo esp-des <mode transport>  ??
Or is it generally not needed / recommended to use the mode transport?
If anyone can give me some config e.g., that would be greatly
appreciated.
Thanks,
HL
http://www.yahoo.promo.com.au/hint/ - Yahoo! Hint Dropper
- Avoid getting hideous gifts this Christmas with Yahoo! Hint Dropper!

• Next message: Karl Brusen: "ISDN: One or Two Dial Strings"
• Previous message: Joe A: "RE: GRE on Cisco routers"
• Maybe in reply to: Hunt Lee: "GRE on Cisco routers"
• Next in thread: Hunt Lee: "RE: GRE on Cisco routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:08 GMT-3