RE: IPSec Encryption of EIGRP - Weird Problem (longish)

From: Teisberg, Evan (eteisbe@qwest.com)
Date: Fri May 02 2003 - 09:50:52 GMT-3

Bala,

There is nothing wrong with putting in multiple access-list entries in you
crypto access-list.

Your correct, when a match on line 1 occurs, the router will not continue
through the list. But if line 1 does NOT match, the router will keep on
checking the subsequent lines until it does find a match.

It is very common to have multiple internal networks (different major
networks) on either side of a site-to-site VPN tunnel. You just need to
define which networks you DO or DO NOT want to go through the VPN tunnel.
Multiple line access-lists work fine, just make sure the other end has a
"mirror-image" access-list.

If you had a hub and spoke VPN set-up, then you would have separate
crypto-map entries and separate access-lists for each site. In this set-up
you still could have multiple line access-list entries for each site without
a problem.

HTH
-Evan.

-----Original Message-----
From: balaji.balakrishnan [mailto:balaji.balakrishnan@swift.com]
Sent: Thursday, May 01, 2003 10:10 AM
To: Teisberg, Evan
Cc: 'Joseph Hao'; ccielab@groupstudy.com
Subject: Re: IPSec Encryption of EIGRP - Weird Problem (longish)

I believe Crypto access-list should not have more than one permit statement.
This is because when it finds the first permit
statement, it will quit the crypto list and thus, the subsequent permit
statements would never be scanned. The solution is to
aggregate all the required IP entries into single permit statement. If that
not possible, then you need to create separate tunnels
for each permit statements and all crypto maps would have same tunnel
source and destinations.( mean separate crypto map, crypto
access-list etc.) . Let me know if this is wrong ??

Rgds,
Bala.

"Teisberg, Evan" wrote:

> Joseph,
>
> I'll give it a try.
>
> You should never use "permit ip any any" in a crypto map access-list. The
> function of the access-list does two things.
>
> 1)Tells the router what traffic to encrypt (outbound).
>
> 2)Tells the router what traffic coming INTO the router must be encrypted
> (inbound).
>
> With a "permit ip any any" statement, the router will ONLY accept
encrypted
> traffic coming in on your serial 1 interface (because everything is a
match
> for "permit ip any any". This is what is breaking your eigrp.
>
> Your getting the "Rec'd packet not an IPSEC packet" error because your
> access-list 101 matches everything (permit ip any any). This means
> everything received on serial 1 into the router must be encrypted traffic,
> or it will be rejected. I believe that the multicast eigrp traffic
> originating from serial 1 interface will never be encrypted.
>
> To fix this (and encrypt traffic between the two ethernet subnets and the
> two loopbacks):
>
> Make R1 list 101:
> access-list 101 permit ip 150.100.10.0 0.0.0.255 133.10.23.0 0.0.0.63
> access-list 101 permit ip 133.10.1.0 0.0.0.255 133.10.2.0 0.0.0.255
>
> Make R2 list 101:
> access-list 101 permit ip 133.10.23.0 0.0.0.63 150.100.10.0 0.0.0.255
> access-list 101 permit ip 133.10.2.0 0.0.0.255 133.10.1.0 0.0.0.255
>
> Note how these access-lists are mirror images of one another. This is a
good
> rule-of-thumb to always follow on IPSEC crypto map access-lists.
>
> I think this is the problem.
>
> Good luck!
>
> -Evan.
>
> -----Original Message-----
> From: Joseph Hao [mailto:jthao1@hotmail.com]
> Sent: Thursday, May 01, 2003 5:04 AM
> To: ccielab@groupstudy.com
> Subject: IPSec Encryption of EIGRP - Weird Problem (longish)
>
> Hello Folks,
>
> I'm trying to configure IPSec encryption across the serial link of 2
routers
> (R1 and R2). I am also trying to run EIGRP over the same link. After
> configuring IPSec, the EIGRP is no longer running.
>
> I've been up all night and I'm tried and I'm missing something very simple
> here, so if anyone who's fresh can look at my configs that would be great.
>
> The full configs are below with the corresponding error message. As you
can
> see, IPSec configs are correct because pings work. I suspect an IOS issue
> so if somebody can run the configs on a different IOS version, we can
> compare the results.
>
> Thanks
> Joseph
>
> Current configuration : 2083 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R1
> !
> !
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> !
> key chain jochain1
> key 10
> key-string password
> accept-lifetime 00:00:00 Jan 1 1993 infinite
> send-lifetime 00:00:00 Jan 1 1993 infinite
> !
> !
> crypto isakmp policy 10
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key password address 133.10.12.2
> !
> !
> crypto ipsec transform-set jotransform1 ah-sha-hmac esp-des esp-sha-hmac
> !
> crypto map jomap1 10 ipsec-isakmp
> set peer 133.10.12.2
> set security-association level per-host
> set transform-set jotransform1
> set pfs group2
> match address 101
> !
> !
> !
> !
> interface Loopback0
> ip address 133.10.1.1 255.255.255.0
> !
> interface Ethernet0
> ip address 150.100.10.1 255.255.255.0
> !
> interface Serial0
> no ip address
> shutdown
> no fair-queue
> !
> interface Serial1
> ip address 133.10.12.1 255.255.255.0
> clockrate 64000
> crypto map jomap1
> !
> interface BRI0
> no ip address
> shutdown
> isdn x25 static-tei 0
> !
> router eigrp 10
> redistribute bgp 3000 metric 100 10 255 1 1500
> network 133.10.1.1 0.0.0.0
> network 133.10.12.1 0.0.0.0
> network 150.100.10.1 0.0.0.0
> no auto-summary
> eigrp log-neighbor-changes
> !
> router bgp 3000
> no synchronization
> bgp log-neighbor-changes
> redistribute eigrp 10 metric 3333
> neighbor 133.10.8.8 remote-as 3000
> neighbor 133.10.8.8 ebgp-multihop 10
> neighbor 133.10.8.8 update-source Loopback0
> neighbor 150.100.10.9 remote-as 1000
> neighbor 150.100.10.9 password password
> no auto-summary
> !
> ip classless
> ip http server
> !
> access-list 101 permit eigrp any any
> access-list 101 permit ip any any
> access-list 101 permit icmp any any
> !
> alias router e exit
> alias line e exit
> alias interface e exit
> alias configure e exit
> alias exec p ping
> alias exec c config t
> alias exec s sh run
> alias exec sip sh ip route
> alias exec sib sh ip bgp
> alias exec cib clear ip bgp *
> alias exec cip clear ip route *
> alias exec co clear ip ospf process
> alias exec crs copy run start
> !
> line con 0
> exec-timeout 0 0
> line aux 0
> line vty 0 4
> login
> !
> end
>
> R1#
> 00:08:56: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
> 00:09:57: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
> 00:11:02: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
> R1#
> R1#ping 133.10.12.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> R1#ping 133.10.12.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:
>
> 00:12:03: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88.....
> Success rate is 0 percent (0/5)
> R1#ping 133.10.12.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 108/108/108 ms
> R1#
> 00:13:05: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
> 00:14:06: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
> 00:15:06: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
>
> Current configuration : 2525 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R2
> !
> !
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> frame-relay switching
> !
> key chain jochain1
> key 10
> key-string password
> accept-lifetime 00:00:00 Jan 1 1993 infinite
> send-lifetime 00:00:00 Jan 1 1993 infinite
> !
> !
> crypto isakmp policy 10
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key password address 133.10.12.1
> !
> !
> crypto ipsec transform-set jotransform1 ah-sha-hmac esp-des esp-sha-hmac
> !
> crypto map jomap1 10 ipsec-isakmp
> set peer 133.10.12.1
> set security-association level per-host
> set transform-set jotransform1
> set pfs group2
> match address 101
> !
> !
> !
> !
> interface Loopback0
> ip address 133.10.2.2 255.255.255.0
> ip ospf network point-to-point
> !
> interface Ethernet0
> ip address 133.10.23.2 255.255.255.192
> no ip redirects
> standby 1 ip 133.10.23.1
> standby 1 priority 200
> standby 1 preempt
> standby 1 authentication password
> standby 1 track Serial0 150
> !
> interface Serial0
> ip address 133.10.235.2 255.255.255.0
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 password
> ip ospf priority 0
> no fair-queue
> clockrate 64000
> frame-relay map ip 133.10.235.8 300 broadcast
> frame-relay map ip 133.10.235.3 300 broadcast
> frame-relay lmi-type ansi
> frame-relay intf-type dce
> !
> interface Serial1
> ip address 133.10.12.2 255.255.255.0
> crypto map jomap1
> !
> interface BRI0
> no ip address
> shutdown
> isdn x25 static-tei 0
> !
> router eigrp 10
> redistribute ospf 10 metric 100 10 255 1 1500 match internal external 1
> external 2
> network 133.10.12.2 0.0.0.0
> no auto-summary
> eigrp log-neighbor-changes
> !
> router ospf 10
> log-adjacency-changes
> area 0 authentication message-digest
> area 2 range 133.10.23.0 255.255.255.0
> redistribute eigrp 10 metric 199 metric-type 1 subnets
> network 133.10.2.2 0.0.0.0 area 0
> network 133.10.23.2 0.0.0.0 area 2
> network 133.10.235.2 0.0.0.0 area 0
> !
> ip classless
> ip http server
> !
> access-list 101 permit eigrp any any
> access-list 101 permit ip any any
> access-list 101 permit icmp any any
> !
> alias router e exit
> alias line e exit
> alias interface e exit
> alias configure e exit
> alias exec p ping
> alias exec c config t
> alias exec s sh run
> alias exec sip sh ip route
> alias exec sib sh ip bgp
> alias exec cib clear ip bgp *
> alias exec cip clear ip route *
> alias exec co clear ip ospf process
> alias exec crs copy run start
> !
> line con 0
> exec-timeout 0 0
> line aux 0
> line vty 0 4
> login
> !
> end
>
> R2#
> 00:09:33: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
> 00:10:33: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
> 00:11:34: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
> 00:12:37: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88

[GroupStudy removed an attachment of type application/x-pkcs7-signature
which had a name of smime.p7s]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:35 GMT-3