From: Daniel Cisco Group Study (danielcgs@imc.net.au)
Date: Thu Apr 24 2003 - 06:40:57 GMT-3
Kevin,
No crypto on the physicals.....
Here you go...
The key to making this work is "crypto map MYMAP local-address Tunnel0" at both ends.
Daniel
E0-R14---IP CLOUD---R13-E0
R14#s
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 34.34.34.13
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
!
crypto map MYMAP local-address Tunnel0
crypto map MYMAP 10 ipsec-isakmp
set peer 34.34.34.13
set transform-set MYSET
match address 103
!
!
interface Ethernet0
ip address 192.168.6.1 255.255.255.0
!
interface Tunnel0
ip address 34.34.34.14 255.255.255.0
tunnel source 150.100.32.10
tunnel destination 137.20.20.13
crypto map MYMAP
!
interface Serial0
ip address 150.100.32.10 255.255.224.0
!
interface Serial1
no ip address
shutdown
!
router rip
version 2
timers basic 5 15 15 20
network 34.0.0.0
network 192.168.6.0
no auto-summary
!
access-list 103 permit ip 192.168.6.0 0.0.0.255 192.168.13.0 0.0.0.255
R13#s
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 34.34.34.14
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
!
crypto map MYMAP local-address Tunnel0
crypto map MYMAP 10 ipsec-isakmp
set peer 34.34.34.14
set transform-set MYSET
match address 103
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.13.1 255.255.255.0
!
interface Tunnel0
ip address 34.34.34.13 255.255.255.0
tunnel source 137.20.20.13
tunnel destination 150.100.32.10
crypto map MYMAP
!
interface Serial0
ip address 137.20.20.13 255.255.255.0
!
router rip
version 2
timers basic 5 15 15 20
network 34.0.0.0
network 192.168.13.0
no auto-summary
!
access-list 103 permit ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255
!
-----Original Message-----
From: Kevin Tang [mailto:Kevin.Tang@telecom.co.nz]
Sent: Thursday, 24 April 2003 14:04
To: Daniel Cisco Group Study
Subject: RE: IPSec confusion
Hi, Daniel
I am getting lost. If you apply crypto map, it should be under tunnel interface and phy interface. so where is your "crypto map mymap local tunn0" come from? Please give me a config example.
Regards
Kevin
-----Original Message-----
From: Daniel Cisco Group Study [mailto:danielcgs@imc.net.au]
Sent: Thursday, 24 April 2003 09:31
To: aa bb; Wayne.Baety@kadena.af.mil; lg01@myway.com;
ccielab@groupstudy.com
Cc: huntl@webcentral.com.au; Daniel Cisco Group Study
Subject: RE: IPSec confusion
To add another $0.01, if you only use the crypto map on the tunnel interface, make sure you specify something like "crypto map mymap local tunn0".
Otherwise the IPSEC tunnel is sourced from the phy interface, not the tunnel interface, and you get problems with set peer commands and the pre share keys....etc... I learnt this the hard way...
Daniel
-----Original Message-----
From: aa bb [mailto:zhangjimmy2002@yahoo.com]
Sent: Thursday, 24 April 2003 12:53 AM
To: Wayne.Baety@kadena.af.mil; lg01@myway.com; ccielab@groupstudy.com
Cc: huntl@webcentral.com.au; Daniel Cisco Group Study
Subject: RE: IPSec confusion
Hi,
I agree with Daniel.However,if you use the first
acl,then you can only apply the crypto map under
tunnel interface,no need to apply to the physical
interface,but if you use gre acl,you must apply the
crypto map both under tunnel interface and physical
interface.Just my $0.02!
Jimmy
Subject: RE: IPSec confusion
To: "Baety Wayne SrA 18 CS/SCBX"
<Wayne.Baety@kadena.af.mil>,
"lg01"
<lg01@myway.com>, <ccielab@groupstudy.com>
Cc: <huntl@webcentral.com.au>
Not Quite.....
From my investigations, I found that if you use the
gre acl, then you get a "GRE over ESP" type tunnel.
Everything running over the tunnel is encrypted and a
protocol analyzer would see ESP (IP 50) packets & UDP
500. Just do a debug ip packet detail on an
intermediate router...
With the first style access list, you get a "ESP over
GRE" type tunnel, where the 13.0/24 <--> 6/0/24
traffic is encrypted and travels over a GRE tunnel.
However, the router to router traffic, like RIP in
this situation doesn't get encrypted. A debug ip
packet detail shows IP 47 (GRE). A protocol analyser
will show the esp encapsulated within GRE.
Daniel
-----Original Message-----
From: Baety Wayne SrA 18 CS/SCBX
[mailto:Wayne.Baety@kadena.af.mil]
Sent: Wednesday, 23 April 2003 16:54
To: 'lg01'; ccielab@groupstudy.com
Subject: RE: IPSec confusion
The first style of access list encrypts traffic
comming from
13.0/24 to 6.0/24 and vice versa only. It does not
encrypt
the gre tunnel. It would not encrypt any other
traffic from any
other networks. The second encrypts all traffic sent
through the
gre tunnel, because you are really encrypting the
tunnel itself.
Upper layers encapsulated within gre are inherently
encrypted.
If you could place a protocol analyzer between r13 and
r4 and you
use the first style of access list you would see
isakmp and esp
traffic. The esp traffic would be your encrypted
13.0/24 and
6.0/24 networks. You would also see gre traffic
occurring alongside,
but you are not associating the gre tunnel traffic
with your ipsec
configuration. It's just all by itself doing it's own
thing.
With the second style of access list you would only
see gre traffic with
a protocol analyzer, as long as you route 13.0/24 and
6.0/24 through
the tunnel. If you do not route those networks
through the tunnel they will
not be encrypted, however, they will still attempt SA
bindings and will
eventually fail.
-----Original Message-----
From: lg01 [mailto:lg01@myway.com]
Sent: Tuesday, April 22, 2003 10:54 PM
To: ccielab@groupstudy.com
Subject: IPSec confusion
Last question for the nite before heading to bed ;)
192.168.6.0/24
|
R6
/ \
R3 R5
\ /
R1
|
|
R4
|
|
R13
|
192.168.13.0/24
Ok, that was the topology. And now I have a IPSec
tunnel connected directly
from R6
to R13...
And here are the 2 GRE tunnel interfaces:
r6#sh run int tu0
Building configuration...
Current configuration : 141 bytes
!
interface Tunnel0
ip address 172.16.210.1 255.255.255.252
tunnel source 172.16.6.1
tunnel destination 172.16.13.1
crypto map MapA
end
r6#
R13#sh run int tunnel 0
Building configuration...
Current configuration : 141 bytes
!
interface Tunnel0
ip address 172.16.210.2 255.255.255.252
tunnel source 172.16.13.1
tunnel destination 172.16.6.1
crypto map MapA
end
R13#
And I want to encrypt the traffic between
192.168.6.0/24 & 192.168.13.0/24
Now, I have heard of 2 ways to do this...
One is via:-
On R13:
access-list 103 permit ip 192.168.13.0 0.0.0.255
192.168.6.0 0.0.0.255
On R6:
access-list 103 permit ip 192.168.6.0 0.0.0.255
192.168.13.0 0.0.0.255
OR (just encrypt on the tunnel endpoints by GRE)
On R13:
access-list 103 permit gre host 172.16.13.1 host
172.16.6.1
On R6:
access-list 103 permit gre host 172.16.6.1 host
172.16.13.1
It seems that on some exercises I did, the 1st case
works, while on other
ones, the
2nd ones work.... so what decides when I should use
each?
Just for completeness, I have also attached the full
config for the 2
routers:-
r6#sh run
!
ip multicast-routing
isdn switch-type basic-net3
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 172.16.13.1
!
!
crypto ipsec transform-set SetA esp-des esp-sha-hmac
!
crypto map MapA 10 ipsec-isakmp
set peer 172.16.13.1
set transform-set SetA
match address 103
!
!
!
!
interface Loopback0
ip address 172.16.6.1 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
!
interface Loopback1
ip address 192.168.6.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.210.1 255.255.255.252
tunnel source 172.16.6.1
tunnel destination 172.16.13.1
crypto map MapA
!
interface Ethernet0
ip address 25.1.1.1 255.255.255.0
!
interface Serial0
no ip address
encapsulation frame-relay
no fair-queue
clockrate 64000
frame-relay traffic-shaping
!
interface Serial0.1 point-to-point
bandwidth 16
ip address 172.16.146.6 255.255.255.240
frame-relay interface-dlci 614
class ClassA
!
interface Serial0.2 multipoint
bandwidth 48
backup delay 10 60
backup interface BRI0
ip address 172.16.100.6 255.255.255.224
ip pim nbma-mode
ip pim sparse-mode
ip ospf message-digest-key 1 md5 cisco
ip ospf network point-to-multipoint
frame-relay map ip 172.16.100.3 603 broadcast
frame-relay map ip 172.16.100.5 605 broadcast
frame-relay interface-dlci 603
class ClassB
frame-relay interface-dlci 605
class ClassA
no frame-relay inverse-arp
crypto map MapA
!
interface Serial1
ip address 172.16.86.6 255.255.255.0
ip pim sparse-mode
custom-queue-list 1
!
interface BRI0
ip address 172.16.56.6 255.255.255.248
encapsulation ppp
dialer idle-timeout 240
dialer map ip 172.16.56.5 name r5 broadcast 2222
dialer load-threshold 1 either
dialer-group 1
isdn switch-type basic-net3
no peer neighbor-route
ppp multilink
!
router eigrp 146
redistribute ospf 1
redistribute eigrp 68
passive-interface BRI0
passive-interface Serial0.2
passive-interface Serial1
network 172.16.146.0 0.0.0.255
default-metric 10000 1000 255 1 1500
no auto-summary
!
router eigrp 68
redistribute eigrp 146
redistribute ospf 1
passive-interface BRI0
passive-interface Serial0.1
passive-interface Serial0.2
network 172.16.86.0 0.0.0.255
default-metric 10000 1000 255 1 1500
no auto-summary
!
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
redistribute eigrp 146 metric-type 1 subnets
redistribute eigrp 68 metric-type 1 subnets
network 172.16.6.0 0.0.0.255 area 60
network 172.16.56.0 0.0.0.255 area 0
network 172.16.100.0 0.0.0.255 area 0
!
router rip
passive-interface BRI0
passive-interface Ethernet0
passive-interface Serial0.1
passive-interface Serial0.2
passive-interface Serial1
network 172.16.0.0
network 192.168.6.0
!
router bgp 64500
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 100
aggregate-address 200.200.200.0 255.255.255.0 as-set
summary-only
neighbor 172.16.3.1 remote-as 64500
neighbor 172.16.3.1 update-source Loopback0
neighbor 172.16.3.1 send-community
neighbor 172.16.3.1 route-map 200net out
neighbor 172.16.5.1 remote-as 64500
neighbor 172.16.5.1 update-source Loopback0
neighbor 172.16.5.1 send-community
neighbor 172.16.5.1 route-map 200net out
neighbor 172.16.8.1 remote-as 8
neighbor 172.16.8.1 ebgp-multihop 2
neighbor 172.16.8.1 update-source Loopback0
neighbor 172.16.8.1 route-map no100 out
neighbor 172.16.14.1 remote-as 14
neighbor 172.16.14.1 ebgp-multihop 2
neighbor 172.16.14.1 update-source Loopback0
neighbor 172.16.14.1 route-map Community in
no auto-summary
!
ip local policy route-map Routing
ip classless
ip http server
ip pim rp-address 172.16.6.1
!
!
ip prefix-list 200sum seq 5 permit 200.200.200.0/24
!
map-class frame-relay ClassA
no frame-relay adaptive-shaping
frame-relay cir 12000
frame-relay bc 1500
frame-relay be 3960
frame-relay mincir 6000
!
map-class frame-relay ClassB
no frame-relay adaptive-shaping
frame-relay cir 24000
frame-relay bc 3000
frame-relay be 7920
frame-relay mincir 12000
access-list 1 permit 100.100.100.0 0.0.0.255
access-list 101 permit tcp 172.16.80.0 0.0.0.127 any
eq www
access-list 101 permit tcp host 172.16.80.10 any eq
smtp
access-list 101 permit tcp host 172.16.80.10 any eq
pop3
access-list 101 permit tcp host 172.16.6.1 any eq
telnet
access-list 101 permit tcp host 172.16.8.1 any eq
telnet
access-list 101 permit tcp host 172.16.14.1 any eq
telnet
access-list 101 permit ip 172.16.1.0 0.0.254.245 any
access-list 101 permit icmp any any
access-list 102 permit ip any host 172.16.134.13
access-list 102 permit ip any host 172.16.13.1
access-list 103 permit ip 192.168.6.0 0.0.0.255
192.168.13.0 0.0.0.255
access-list 104 permit tcp any any eq 2065
access-list 104 permit tcp any eq 2065 any
access-list 104 permit tcp any any eq 2067
access-list 104 permit tcp any eq 2067 any
queue-list 1 protocol ip 1 list 104
queue-list 1 protocol ip 2
queue-list 1 default 3
queue-list 1 queue 1 byte-count 2000
queue-list 1 queue 2 byte-count 1000
queue-list 1 queue 3 byte-count 1000
dialer-list 1 protocol ip list 101
route-map no100 deny 10
match ip address 1
!
route-map no100 permit 20
!
route-map 200net deny 10
match ip address prefix-list 200sum
!
route-map 200net permit 20
!
route-map Community permit 10
match ip address 1
set community local-AS
!
route-map Community permit 20
!
route-map Routing permit 10
match ip address 102
set ip next-hop 172.16.100.3
!
end
And for R13:
R13#sh run
Building configuration...
!
hostname R13
!
logging buffered 4096 debugging
!
memory-size iomem 10
clock timezone est -5
clock summer-time PAC recurring
ip subnet-zero
!
!
!
frame-relay switching
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 172.16.6.1
!
!
crypto ipsec transform-set SetA esp-des esp-sha-hmac
!
crypto map MapA 10 ipsec-isakmp
set peer 172.16.6.1
set transform-set SetA
match address 103
!
!
interface Loopback0
ip address 172.16.13.1 255.255.255.0
!
interface Loopback1
ip address 200.200.200.1 255.255.255.128
!
interface Loopback2
ip address 200.200.200.129 255.255.255.128
!
interface Loopback3
ip address 192.168.13.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.210.2 255.255.255.252
tunnel source 172.16.13.1
tunnel destination 172.16.6.1
crypto map MapA
!
interface FastEthernet0/0
ip address 172.16.134.13 255.255.255.0
duplex auto
speed auto
crypto map MapA
!
router ospf 1
log-adjacency-changes
redistribute connected subnets route-map Connect
network 172.16.134.0 0.0.0.255 area 2
!
router rip
timers basic 60 360 360 480
passive-interface FastEthernet0/0
network 172.16.0.0
network 192.168.13.0
!
router bgp 65001
bgp log-neighbor-changes
bgp confederation identifier 134
bgp confederation peers 65002
network 200.200.200.0 mask 255.255.255.128
network 200.200.200.128 mask 255.255.255.128
neighbor 172.16.4.1 remote-as 65002
neighbor 172.16.4.1 ebgp-multihop 2
neighbor 172.16.4.1 update-source Loopback0
no auto-summary
!
ip local policy route-map Critical
ip classless
ip http server
!
!
ip prefix-list Loop seq 5 permit 172.16.13.0/24
!
access-list 103 permit ip 192.168.13.0 0.0.0.255
192.168.6.0 0.0.0.255
route-map Critical permit 10
set ip precedence critical
!
route-map Connect permit 10
match ip address prefix-list Loop
!
end
R13#
Thanks in advance,
Regards,
Hunt
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com
**********************************************************************
This email and any files transmitted with it are
confidential and
intended solely for the use of the individual or
entity to whom they
are addressed. If you have received this email in
error please notify
the system manager.
This footnote also confirms that this email message
has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
------------------------------------------------------------------------------
"This communication, including any attachments, is confidential.
If you are not the intended recipient, you should not read
it - please contact me immediately, destroy it, and do not
copy or use any part of this communication or disclose
anything about it. Thank you."
------------------------------------------------------------------------------
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:36:04 GMT-3