RE: IPSec confusion

From: Baety Wayne SrA 18 CS/SCBX (Wayne.Baety@kadena.af.mil)
Date: Wed Apr 23 2003 - 03:53:56 GMT-3

The first style of access list encrypts traffic comming from
13.0/24 to 6.0/24 and vice versa only. It does not encrypt
the gre tunnel. It would not encrypt any other traffic from any
other networks. The second encrypts all traffic sent through the
gre tunnel, because you are really encrypting the tunnel itself.
Upper layers encapsulated within gre are inherently encrypted.

If you could place a protocol analyzer between r13 and r4 and you
use the first style of access list you would see isakmp and esp
traffic. The esp traffic would be your encrypted 13.0/24 and
6.0/24 networks. You would also see gre traffic occurring alongside,
but you are not associating the gre tunnel traffic with your ipsec
configuration. It's just all by itself doing it's own thing.

With the second style of access list you would only see gre traffic with
a protocol analyzer, as long as you route 13.0/24 and 6.0/24 through
the tunnel. If you do not route those networks through the tunnel they will
not be encrypted, however, they will still attempt SA bindings and will
eventually fail.

-----Original Message-----
From: lg01 [mailto:lg01@myway.com]
Sent: Tuesday, April 22, 2003 10:54 PM
To: ccielab@groupstudy.com
Subject: IPSec confusion

Last question for the nite before heading to bed ;)

192.168.6.0/24
   |
  R6
 / \
R3 R5
 \ /
  R1
   |
   |
  R4
   |
   |
  R13
   |
192.168.13.0/24

Ok, that was the topology. And now I have a IPSec tunnel connected directly
from R6
to R13...

And here are the 2 GRE tunnel interfaces:

r6#sh run int tu0
Building configuration...

Current configuration : 141 bytes
!
interface Tunnel0
 ip address 172.16.210.1 255.255.255.252
 tunnel source 172.16.6.1
 tunnel destination 172.16.13.1
 crypto map MapA
end

r6#

R13#sh run int tunnel 0
Building configuration...

Current configuration : 141 bytes
!
interface Tunnel0
 ip address 172.16.210.2 255.255.255.252
 tunnel source 172.16.13.1
 tunnel destination 172.16.6.1
 crypto map MapA
end

R13#

And I want to encrypt the traffic between 192.168.6.0/24 & 192.168.13.0/24

Now, I have heard of 2 ways to do this...

One is via:-

On R13:
access-list 103 permit ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255

On R6:
access-list 103 permit ip 192.168.6.0 0.0.0.255 192.168.13.0 0.0.0.255

OR (just encrypt on the tunnel endpoints by GRE)

On R13:
access-list 103 permit gre host 172.16.13.1 host 172.16.6.1

On R6:
access-list 103 permit gre host 172.16.6.1 host 172.16.13.1

It seems that on some exercises I did, the 1st case works, while on other
ones, the
2nd ones work.... so what decides when I should use each?

Just for completeness, I have also attached the full config for the 2
routers:-

r6#sh run
!
ip multicast-routing
isdn switch-type basic-net3
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 172.16.13.1
!
!
crypto ipsec transform-set SetA esp-des esp-sha-hmac
!
crypto map MapA 10 ipsec-isakmp
 set peer 172.16.13.1
 set transform-set SetA
 match address 103
!
!
!
!
interface Loopback0
 ip address 172.16.6.1 255.255.255.0
 ip pim sparse-mode
 ip ospf network point-to-point
!
interface Loopback1
 ip address 192.168.6.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.210.1 255.255.255.252
 tunnel source 172.16.6.1
 tunnel destination 172.16.13.1
 crypto map MapA
!
interface Ethernet0
 ip address 25.1.1.1 255.255.255.0
!
interface Serial0
 no ip address
 encapsulation frame-relay
 no fair-queue
 clockrate 64000
 frame-relay traffic-shaping
!
interface Serial0.1 point-to-point
 bandwidth 16
 ip address 172.16.146.6 255.255.255.240
 frame-relay interface-dlci 614
  class ClassA
!
interface Serial0.2 multipoint
 bandwidth 48
 backup delay 10 60
 backup interface BRI0
 ip address 172.16.100.6 255.255.255.224
 ip pim nbma-mode
 ip pim sparse-mode
 ip ospf message-digest-key 1 md5 cisco
 ip ospf network point-to-multipoint
 frame-relay map ip 172.16.100.3 603 broadcast
 frame-relay map ip 172.16.100.5 605 broadcast
 frame-relay interface-dlci 603
  class ClassB
 frame-relay interface-dlci 605
  class ClassA
 no frame-relay inverse-arp
 crypto map MapA
!
interface Serial1
 ip address 172.16.86.6 255.255.255.0
 ip pim sparse-mode
 custom-queue-list 1
!
interface BRI0
 ip address 172.16.56.6 255.255.255.248
 encapsulation ppp
 dialer idle-timeout 240
 dialer map ip 172.16.56.5 name r5 broadcast 2222
 dialer load-threshold 1 either
 dialer-group 1
 isdn switch-type basic-net3
 no peer neighbor-route
 ppp multilink
!
router eigrp 146
 redistribute ospf 1
 redistribute eigrp 68
 passive-interface BRI0
 passive-interface Serial0.2
 passive-interface Serial1
 network 172.16.146.0 0.0.0.255
 default-metric 10000 1000 255 1 1500
 no auto-summary
!
router eigrp 68
 redistribute eigrp 146
 redistribute ospf 1
 passive-interface BRI0
 passive-interface Serial0.1
 passive-interface Serial0.2
 network 172.16.86.0 0.0.0.255
 default-metric 10000 1000 255 1 1500
 no auto-summary
!
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 redistribute eigrp 146 metric-type 1 subnets
 redistribute eigrp 68 metric-type 1 subnets
 network 172.16.6.0 0.0.0.255 area 60
 network 172.16.56.0 0.0.0.255 area 0
 network 172.16.100.0 0.0.0.255 area 0
!
router rip
 passive-interface BRI0
 passive-interface Ethernet0
 passive-interface Serial0.1
 passive-interface Serial0.2
 passive-interface Serial1
 network 172.16.0.0
 network 192.168.6.0
!
router bgp 64500
 no synchronization
 bgp log-neighbor-changes
 bgp confederation identifier 100
 aggregate-address 200.200.200.0 255.255.255.0 as-set summary-only
 neighbor 172.16.3.1 remote-as 64500
 neighbor 172.16.3.1 update-source Loopback0
 neighbor 172.16.3.1 send-community
 neighbor 172.16.3.1 route-map 200net out
 neighbor 172.16.5.1 remote-as 64500
 neighbor 172.16.5.1 update-source Loopback0
 neighbor 172.16.5.1 send-community
 neighbor 172.16.5.1 route-map 200net out
 neighbor 172.16.8.1 remote-as 8
 neighbor 172.16.8.1 ebgp-multihop 2
 neighbor 172.16.8.1 update-source Loopback0
 neighbor 172.16.8.1 route-map no100 out
 neighbor 172.16.14.1 remote-as 14
 neighbor 172.16.14.1 ebgp-multihop 2
 neighbor 172.16.14.1 update-source Loopback0
 neighbor 172.16.14.1 route-map Community in
 no auto-summary
!
ip local policy route-map Routing
ip classless
ip http server
ip pim rp-address 172.16.6.1
!
!
ip prefix-list 200sum seq 5 permit 200.200.200.0/24
!
map-class frame-relay ClassA
 no frame-relay adaptive-shaping
 frame-relay cir 12000
 frame-relay bc 1500
 frame-relay be 3960
 frame-relay mincir 6000
!
map-class frame-relay ClassB
 no frame-relay adaptive-shaping
 frame-relay cir 24000
 frame-relay bc 3000
 frame-relay be 7920
 frame-relay mincir 12000
access-list 1 permit 100.100.100.0 0.0.0.255
access-list 101 permit tcp 172.16.80.0 0.0.0.127 any eq www
access-list 101 permit tcp host 172.16.80.10 any eq smtp
access-list 101 permit tcp host 172.16.80.10 any eq pop3
access-list 101 permit tcp host 172.16.6.1 any eq telnet
access-list 101 permit tcp host 172.16.8.1 any eq telnet
access-list 101 permit tcp host 172.16.14.1 any eq telnet
access-list 101 permit ip 172.16.1.0 0.0.254.245 any
access-list 101 permit icmp any any
access-list 102 permit ip any host 172.16.134.13
access-list 102 permit ip any host 172.16.13.1
access-list 103 permit ip 192.168.6.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 104 permit tcp any any eq 2065
access-list 104 permit tcp any eq 2065 any
access-list 104 permit tcp any any eq 2067
access-list 104 permit tcp any eq 2067 any
queue-list 1 protocol ip 1 list 104
queue-list 1 protocol ip 2
queue-list 1 default 3
queue-list 1 queue 1 byte-count 2000
queue-list 1 queue 2 byte-count 1000
queue-list 1 queue 3 byte-count 1000
dialer-list 1 protocol ip list 101
route-map no100 deny 10
 match ip address 1
!
route-map no100 permit 20
!
route-map 200net deny 10
 match ip address prefix-list 200sum
!
route-map 200net permit 20
!
route-map Community permit 10
 match ip address 1
 set community local-AS
!
route-map Community permit 20
!
route-map Routing permit 10
 match ip address 102
 set ip next-hop 172.16.100.3
!
end

And for R13:

R13#sh run
Building configuration...

!
hostname R13
!
logging buffered 4096 debugging
!
memory-size iomem 10
clock timezone est -5
clock summer-time PAC recurring
ip subnet-zero
!
!
!
frame-relay switching
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco address 172.16.6.1
!
!
crypto ipsec transform-set SetA esp-des esp-sha-hmac
!
crypto map MapA 10 ipsec-isakmp
 set peer 172.16.6.1
 set transform-set SetA
 match address 103
!
!
interface Loopback0
 ip address 172.16.13.1 255.255.255.0
!
interface Loopback1
 ip address 200.200.200.1 255.255.255.128
!
interface Loopback2
 ip address 200.200.200.129 255.255.255.128
!
interface Loopback3
 ip address 192.168.13.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.210.2 255.255.255.252
 tunnel source 172.16.13.1
 tunnel destination 172.16.6.1
 crypto map MapA
!
interface FastEthernet0/0
 ip address 172.16.134.13 255.255.255.0
 duplex auto
 speed auto
 crypto map MapA
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map Connect
 network 172.16.134.0 0.0.0.255 area 2
!
router rip
 timers basic 60 360 360 480
 passive-interface FastEthernet0/0
 network 172.16.0.0
 network 192.168.13.0
!
router bgp 65001
 bgp log-neighbor-changes
 bgp confederation identifier 134
 bgp confederation peers 65002
 network 200.200.200.0 mask 255.255.255.128
 network 200.200.200.128 mask 255.255.255.128
 neighbor 172.16.4.1 remote-as 65002
 neighbor 172.16.4.1 ebgp-multihop 2
 neighbor 172.16.4.1 update-source Loopback0
 no auto-summary
!
ip local policy route-map Critical
ip classless
ip http server
!
!
ip prefix-list Loop seq 5 permit 172.16.13.0/24
!
access-list 103 permit ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255
route-map Critical permit 10
 set ip precedence critical
!
route-map Connect permit 10
 match ip address prefix-list Loop
!
end

R13#

Thanks in advance,

Regards,
Hunt

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:36:02 GMT-3