IPSec confusion

From: lg01 (lg01@myway.com)
Date: Tue Apr 22 2003 - 10:54:01 GMT-3

• Next message: PIEDRAHITA, JOHN (Juan Carlos), NSPM: "Removal Request"
• Previous message: lg01: "Multicast"
• Next in thread: Rodia Rascall: "Re:IPSec confusion"
• Maybe reply: Rodia Rascall: "Re:IPSec confusion"
• Maybe reply: Hunt Lee: "RE: IPSec confusion"
• Maybe reply: Rodia Rascall: "RE: IPSec confusion"
• Maybe reply: Baety Wayne SrA 18 CS/SCBX: "RE: IPSec confusion"
• Maybe reply: Daniel Cisco Group Study: "RE: IPSec confusion"
• Maybe reply: Daniel Cisco Group Study: "RE: IPSec confusion"
• Maybe reply: Daniel Cisco Group Study: "RE: IPSec confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Last question for the nite before heading to bed ;)

192.168.6.0/24
   |
  R6
 / \
R3 R5
 \ /
  R1
   |
   |
  R4
   |
   |
  R13
   |
192.168.13.0/24

Ok, that was the topology. And now I have a IPSec tunnel connected directly from R6
to R13...

And here are the 2 GRE tunnel interfaces:

r6#sh run int tu0
Building configuration...

Current configuration : 141 bytes
!
interface Tunnel0
 ip address 172.16.210.1 255.255.255.252
 tunnel source 172.16.6.1
 tunnel destination 172.16.13.1
 crypto map MapA
end

r6#

R13#sh run int tunnel 0
Building configuration...

Current configuration : 141 bytes
!
interface Tunnel0
 ip address 172.16.210.2 255.255.255.252
 tunnel source 172.16.13.1
 tunnel destination 172.16.6.1
 crypto map MapA
end

R13#

And I want to encrypt the traffic between 192.168.6.0/24 & 192.168.13.0/24

Now, I have heard of 2 ways to do this...

One is via:-

On R13:
access-list 103 permit ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255

On R6:
access-list 103 permit ip 192.168.6.0 0.0.0.255 192.168.13.0 0.0.0.255

OR (just encrypt on the tunnel endpoints by GRE)

On R13:
access-list 103 permit gre host 172.16.13.1 host 172.16.6.1

On R6:
access-list 103 permit gre host 172.16.6.1 host 172.16.13.1

It seems that on some exercises I did, the 1st case works, while on other ones, the
2nd ones work.... so what decides when I should use each?

Just for completeness, I have also attached the full config for the 2 routers:-

r6#sh run
!
ip multicast-routing
isdn switch-type basic-net3
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 172.16.13.1
!
!
crypto ipsec transform-set SetA esp-des esp-sha-hmac
!
crypto map MapA 10 ipsec-isakmp
 set peer 172.16.13.1
 set transform-set SetA
 match address 103
!
!
!
!
interface Loopback0
 ip address 172.16.6.1 255.255.255.0
 ip pim sparse-mode
 ip ospf network point-to-point
!
interface Loopback1
 ip address 192.168.6.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.210.1 255.255.255.252
 tunnel source 172.16.6.1
 tunnel destination 172.16.13.1
 crypto map MapA
!
interface Ethernet0
 ip address 25.1.1.1 255.255.255.0
!
interface Serial0
 no ip address
 encapsulation frame-relay
 no fair-queue
 clockrate 64000
 frame-relay traffic-shaping
!
interface Serial0.1 point-to-point
 bandwidth 16
 ip address 172.16.146.6 255.255.255.240
 frame-relay interface-dlci 614
  class ClassA
!
interface Serial0.2 multipoint
 bandwidth 48
 backup delay 10 60
 backup interface BRI0
 ip address 172.16.100.6 255.255.255.224
 ip pim nbma-mode
 ip pim sparse-mode
 ip ospf message-digest-key 1 md5 cisco
 ip ospf network point-to-multipoint
 frame-relay map ip 172.16.100.3 603 broadcast
 frame-relay map ip 172.16.100.5 605 broadcast
 frame-relay interface-dlci 603
  class ClassB
 frame-relay interface-dlci 605
  class ClassA
 no frame-relay inverse-arp
 crypto map MapA
!
interface Serial1
 ip address 172.16.86.6 255.255.255.0
 ip pim sparse-mode
 custom-queue-list 1
!
interface BRI0
 ip address 172.16.56.6 255.255.255.248
 encapsulation ppp
 dialer idle-timeout 240
 dialer map ip 172.16.56.5 name r5 broadcast 2222
 dialer load-threshold 1 either
 dialer-group 1
 isdn switch-type basic-net3
 no peer neighbor-route
 ppp multilink
!
router eigrp 146
 redistribute ospf 1
 redistribute eigrp 68
 passive-interface BRI0
 passive-interface Serial0.2
 passive-interface Serial1
 network 172.16.146.0 0.0.0.255
 default-metric 10000 1000 255 1 1500
 no auto-summary
!
router eigrp 68
 redistribute eigrp 146
 redistribute ospf 1
 passive-interface BRI0
 passive-interface Serial0.1
 passive-interface Serial0.2
 network 172.16.86.0 0.0.0.255
 default-metric 10000 1000 255 1 1500
 no auto-summary
!
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 redistribute eigrp 146 metric-type 1 subnets
 redistribute eigrp 68 metric-type 1 subnets
 network 172.16.6.0 0.0.0.255 area 60
 network 172.16.56.0 0.0.0.255 area 0
 network 172.16.100.0 0.0.0.255 area 0
!
router rip
 passive-interface BRI0
 passive-interface Ethernet0
 passive-interface Serial0.1
 passive-interface Serial0.2
 passive-interface Serial1
 network 172.16.0.0
 network 192.168.6.0
!
router bgp 64500
 no synchronization
 bgp log-neighbor-changes
 bgp confederation identifier 100
 aggregate-address 200.200.200.0 255.255.255.0 as-set summary-only
 neighbor 172.16.3.1 remote-as 64500
 neighbor 172.16.3.1 update-source Loopback0
 neighbor 172.16.3.1 send-community
 neighbor 172.16.3.1 route-map 200net out
 neighbor 172.16.5.1 remote-as 64500
 neighbor 172.16.5.1 update-source Loopback0
 neighbor 172.16.5.1 send-community
 neighbor 172.16.5.1 route-map 200net out
 neighbor 172.16.8.1 remote-as 8
 neighbor 172.16.8.1 ebgp-multihop 2
 neighbor 172.16.8.1 update-source Loopback0
 neighbor 172.16.8.1 route-map no100 out
 neighbor 172.16.14.1 remote-as 14
 neighbor 172.16.14.1 ebgp-multihop 2
 neighbor 172.16.14.1 update-source Loopback0
 neighbor 172.16.14.1 route-map Community in
 no auto-summary
!
ip local policy route-map Routing
ip classless
ip http server
ip pim rp-address 172.16.6.1
!
!
ip prefix-list 200sum seq 5 permit 200.200.200.0/24
!
map-class frame-relay ClassA
 no frame-relay adaptive-shaping
 frame-relay cir 12000
 frame-relay bc 1500
 frame-relay be 3960
 frame-relay mincir 6000
!
map-class frame-relay ClassB
 no frame-relay adaptive-shaping
 frame-relay cir 24000
 frame-relay bc 3000
 frame-relay be 7920
 frame-relay mincir 12000
access-list 1 permit 100.100.100.0 0.0.0.255
access-list 101 permit tcp 172.16.80.0 0.0.0.127 any eq www
access-list 101 permit tcp host 172.16.80.10 any eq smtp
access-list 101 permit tcp host 172.16.80.10 any eq pop3
access-list 101 permit tcp host 172.16.6.1 any eq telnet
access-list 101 permit tcp host 172.16.8.1 any eq telnet
access-list 101 permit tcp host 172.16.14.1 any eq telnet
access-list 101 permit ip 172.16.1.0 0.0.254.245 any
access-list 101 permit icmp any any
access-list 102 permit ip any host 172.16.134.13
access-list 102 permit ip any host 172.16.13.1
access-list 103 permit ip 192.168.6.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 104 permit tcp any any eq 2065
access-list 104 permit tcp any eq 2065 any
access-list 104 permit tcp any any eq 2067
access-list 104 permit tcp any eq 2067 any
queue-list 1 protocol ip 1 list 104
queue-list 1 protocol ip 2
queue-list 1 default 3
queue-list 1 queue 1 byte-count 2000
queue-list 1 queue 2 byte-count 1000
queue-list 1 queue 3 byte-count 1000
dialer-list 1 protocol ip list 101
route-map no100 deny 10
 match ip address 1
!
route-map no100 permit 20
!
route-map 200net deny 10
 match ip address prefix-list 200sum
!
route-map 200net permit 20
!
route-map Community permit 10
 match ip address 1
 set community local-AS
!
route-map Community permit 20
!
route-map Routing permit 10
 match ip address 102
 set ip next-hop 172.16.100.3
!
end

And for R13:

R13#sh run
Building configuration...

!
hostname R13
!
logging buffered 4096 debugging
!
memory-size iomem 10
clock timezone est -5
clock summer-time PAC recurring
ip subnet-zero
!
!
!
frame-relay switching
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 172.16.6.1
!
!
crypto ipsec transform-set SetA esp-des esp-sha-hmac
!
crypto map MapA 10 ipsec-isakmp
 set peer 172.16.6.1
 set transform-set SetA
 match address 103
!
!
interface Loopback0
 ip address 172.16.13.1 255.255.255.0
!
interface Loopback1
 ip address 200.200.200.1 255.255.255.128
!
interface Loopback2
 ip address 200.200.200.129 255.255.255.128
!
interface Loopback3
 ip address 192.168.13.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.210.2 255.255.255.252
 tunnel source 172.16.13.1
 tunnel destination 172.16.6.1
 crypto map MapA
!
interface FastEthernet0/0
 ip address 172.16.134.13 255.255.255.0
 duplex auto
 speed auto
 crypto map MapA
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map Connect
 network 172.16.134.0 0.0.0.255 area 2
!
router rip
 timers basic 60 360 360 480
 passive-interface FastEthernet0/0
 network 172.16.0.0
 network 192.168.13.0
!
router bgp 65001
 bgp log-neighbor-changes
 bgp confederation identifier 134
 bgp confederation peers 65002
 network 200.200.200.0 mask 255.255.255.128
 network 200.200.200.128 mask 255.255.255.128
 neighbor 172.16.4.1 remote-as 65002
 neighbor 172.16.4.1 ebgp-multihop 2
 neighbor 172.16.4.1 update-source Loopback0
 no auto-summary
!
ip local policy route-map Critical
ip classless
ip http server
!
!
ip prefix-list Loop seq 5 permit 172.16.13.0/24
!
access-list 103 permit ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255
route-map Critical permit 10
 set ip precedence critical
!
route-map Connect permit 10
 match ip address prefix-list Loop
!
end

R13#

Thanks in advance,

Regards,
Hunt

• Next message: PIEDRAHITA, JOHN (Juan Carlos), NSPM: "Removal Request"
• Previous message: lg01: "Multicast"
• Next in thread: Rodia Rascall: "Re:IPSec confusion"
• Maybe reply: Rodia Rascall: "Re:IPSec confusion"
• Maybe reply: Hunt Lee: "RE: IPSec confusion"
• Maybe reply: Rodia Rascall: "RE: IPSec confusion"
• Maybe reply: Baety Wayne SrA 18 CS/SCBX: "RE: IPSec confusion"
• Maybe reply: Daniel Cisco Group Study: "RE: IPSec confusion"
• Maybe reply: Daniel Cisco Group Study: "RE: IPSec confusion"
• Maybe reply: Daniel Cisco Group Study: "RE: IPSec confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:36:01 GMT-3