RE: GRE Tunnel with IPSec encapsulation!

From: Michael Snyder (msnyder@revolutioncomputer.com)
Date: Tue Mar 18 2003 - 19:38:13 GMT-3

• Next message: Michael Snyder: "Do dial peers have only local significance or not?"
• Previous message: steve r: "Re: ISIS INFO NEEDED"
• Maybe in reply to: Tasuka Amano Hsu: "GRE Tunnel with IPSec encapsulation!"
• Next in thread: Brown, Patrick (NSOC-OCF}: "RE: GRE Tunnel with IPSec encapsulation!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I didn't read the thread, but it's probably inside the ipsec tunnel.

Ipsec doesn't support broadcasts and multicasts which thus breaks
routing protocols.

Running gre inside the ipsec fixes the problem.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jeongwoo Park
Sent: Tuesday, March 18, 2003 3:23 PM
To: 'Tasuka Amano Hsu'
Cc: 'ccielab@groupstudy.com'
Subject: RE: GRE Tunnel with IPSec encapsulation!

Just out of curiosity,
Why would you need GRE tunnel outside the ipsec tunnel?

JP

-----Original Message-----
From: Tasuka Amano Hsu [mailto:tasuka@mac.com]
Sent: Monday, March 17, 2003 7:28 PM
To: Brown, Patrick (NSOC-OCF}
Cc: ccielab Groupstudy
Subject: Re: GRE Tunnel with IPSec encapsulation!

Thanks, I think too much about it!
only permit gre trffic is work too.

Best Regards

Tasuka

On Monday, Mar 17, 2003, at 23:38 Asia/Taipei, Brown, Patrick
(NSOC-OCF} wrote:

> You only need the access-list 101 permit gre host <tunnel source> host
> <tunnel destination> on both routers. All traffic traversing the GRE
> tunnel will be encrypted. Set the configuration to TRANSPORT mode on
> your IPSEC transform sets.
> You also have to set the Crypto maps on the GRE interfaces, and the
> egress interface.
>
> Thanks,
>
> Patrick B
> -----Original Message-----
> From: Tasuka Amano Hsu [mailto:tasuka@mac.com]
> Sent: Monday, March 17, 2003 2:30 AM
> To: ccielab Groupstudy
> Subject: GRE Tunnel with IPSec encapsulation!
>
>
> Here is my GRE tunnel over IPSec configuration, and it can work, but
> does I consider too much at access-list ? or use too many command to
> do it ? I am tried the IP-IP tunnel mode and GRE-IP mode is same
> config. If I did not put the crypto map at interface tunnel0, then
> will got an error say the protocol type 47 not encapsulation with
> IPSec. Somebody could share yours ?
>
> The R1 and R2 is connect via Ethernet directly.
>
> Best Regards
>
> Tasuka
>
>
> !
> hostname R1
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key cisco address 172.16.100.174
> !
> !
> crypto ipsec transform-set IPform1 ah-md5-hmac
> crypto ipsec transform-set IPform2 esp-des
> !
> crypto map IPSEC 10 ipsec-isakmp
> set peer 172.16.100.174
> set transform-set IPform2 IPform1
> set pfs group1
> match address 101
> !
> interface Tunnel0
> ip address 172.16.11.1 255.255.255.0
> tunnel source 172.16.100.253
> tunnel destination 172.16.100.174
> tunnel sequence-datagrams
> tunnel checksum
> tunnel path-mtu-discovery
> crypto map IPSEC
> !
> interface Ethernet0
> ip address 172.16.100.253 255.255.255.0
> no ip route-cache
> no ip mroute-cache
> crypto map IPSEC
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 172.16.100.174
> no ip http server
> !
> access-list 101 deny ahp any any
> access-list 101 deny esp any any
> access-list 101 permit gre host 172.16.100.253 host 172.16.100.174
> access-list 101 permit ip host 172.16.100.253 host 172.16.100.174 !
>
> !
> hostname R2
> !
> enable password cisco
> !
> ip subnet-zero
> ip tcp synwait-time 5
> no ip domain-lookup
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key cisco address 172.16.100.253
> !
> !
> crypto ipsec transform-set IPform1 ah-md5-hmac
> crypto ipsec transform-set IPform2 esp-des
> !
> crypto map IPSS 10 ipsec-isakmp
> set peer 172.16.100.253
> set transform-set IPform2 IPform1
> set pfs group1
> match address 101
> !
> interface Tunnel0
> ip address 172.16.11.2 255.255.255.0
> tunnel source 172.16.100.174
> tunnel destination 172.16.100.253
> tunnel sequence-datagrams
> tunnel checksum
> tunnel path-mtu-discovery
> crypto map IPSS
> !
> interface Ethernet0
> ip address 172.16.100.174 255.255.255.0
> no ip route-cache
> no ip mroute-cache
> crypto map IPSS
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 172.16.100.253
> no ip http server
> !
> access-list 101 deny ahp any any
> access-list 101 deny esp any any
> access-list 101 permit gre host 172.16.100.174 host 172.16.100.253
> access-list 101 permit ip host 172.16.100.174 host 172.16.100.253 !

• Next message: Michael Snyder: "Do dial peers have only local significance or not?"
• Previous message: steve r: "Re: ISIS INFO NEEDED"
• Maybe in reply to: Tasuka Amano Hsu: "GRE Tunnel with IPSec encapsulation!"
• Next in thread: Brown, Patrick (NSOC-OCF}: "RE: GRE Tunnel with IPSec encapsulation!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:42 GMT-3