From: Leigh Bichard (Leigh.Bichard@btinternet.com)
Date: Sun Jun 15 2003 - 11:08:59 GMT-3
Emre
Sorry I got mixed up between your two acls 100 and 101. 100 is specifying
what to encrypt. 101 on the other hand should not be seeing any GRE as the
packet has been transformed.
As to why GRE and IP both work - I guess it is because GRE is an IP packet.
Using GRE is more specific therefore more secure
Leigh
----- Original Message -----
From: "Emre Koyuncu" <emrekoyuncu@hotmail.com>
To: "Leigh Bichard" <leigh.bichard@btinternet.com>
Sent: Sunday, June 15, 2003 1:57 PM
Subject: Re: IPSEC/GRE
> Leigh,
>
> Thank you for your answer. I checked the "sh crypto ipsec sa" and in both
> situations the counters were incrrementing. I also did a "sh access-list"
> and the hit count was incrementing in both cases as well.
> Also there is something else to mention. 1760===PIX---3642
> 1760 has VPN tunnel to PIX. On the other hand , remote end of tunnel
> interface 3642.
> Any idea ?
>
> ----- Original Message -----
> From: "Leigh Bichard" <Leigh.Bichard@btinternet.com>
> To: "Emre Koyuncu" <emrekoyuncu@hotmail.com>
> Sent: Sunday, June 15, 2003 6:15 AM
> Subject: Re: IPSEC/GRE
>
>
> > Emre
> >
> > I don't reckon you are encrypting your tunnel. You should see the crypto
> > associations with "sh crypto isakmp sa".
> >
> > If there are no associations try matching the underlying interface (in
> this
> > case eth0/0) and you will need to include on
> >
> > access-list 100 permit esp host <remote address> host 5.5.5.5
> > access-list 100 permit udp host <remote address> host 5.5.5.5 eq isakmp
> >
> > When these are seeing matches you know the crypto map is working
> >
> > Leigh
> >
> > ----- Original Message -----
> > From: "Emre Koyuncu" <emrekoyuncu@hotmail.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Sunday, June 15, 2003 5:16 AM
> > Subject: IPSEC/GRE
> >
> >
> > > Hi Group,
> > >
> > > Lately I have been working on a VPN project. I configured my routers
for
> > IPSEC
> > > and also used GRE as I need OSPF over VPN.I have a 1760 and 2620 at
> each
> > > site.2620 is connected to HQ with T1 and 1760 is connected to HQ with
> VPN
> > over
> > > DSL (backup connection). The following is how I configured my 1760s.
> This
> > > configuration works fine but I have a strange problem.One of my
friends
> > said
> > > that the access-list 100 must use ip as the protocol ,not GRE. I
> explained
> > him
> > > why it must be GRE and then set a lab to show him.First we checked
with
> > > protocol GRE and he was convinced.But after I changed access-list
> protocol
> > to
> > > IP ,it worked again ?? How come it worked ?
> > > Can somebody help me with this ?
> > >
> > > For example consider a host connected to fastethernet port (not on
> config)
> > > with ip address of 8.8.8.8.He wants to ping 9.9.9.9. And 9.9.9.9 is
> known
> > > through tunnel interface. Until now I thought that the headers would
be
> as
> > > follows:
> > > ip header source 8.8.8.8 destinatin 9.9.9.9
> > > gre header source 2.2.2.2 destination 4.4.4.4
> > > esp source 5.5.5.5 destination 1.1.1.1
> > >
> > > crypto isakmp policy 1
> > > encr 3des
> > > hash md5
> > > authentication pre-share
> > > group 2
> > > crypto isakmp key x.x.x.x address 1.1.1.1
> > > !
> > > !
> > > crypto ipsec transform-set 1 esp-3des esp-md5-hmac
> > > !
> > > crypto map emre 1 ipsec-isakmp
> > > set peer 1.1.1.1
> > > set transform-set 1
> > > match address 100
> > > !
> > >
> > > interface Loopback0
> > > ip address 2.2.2.2 255.255.255.0
> > > !
> > > interface Tunnel0
> > > ip address 3.3.3.3 255.255.255.0
> > > tunnel source 2.2.2.2
> > > tunnel destination 4.4.4.4
> > > crypto map emre
> > > !
> > > interface Ethernet0/0
> > > description *Internet Connection*
> > > ip address 5.5.5.5 255.255.255.0
> > > ip access-group 101 in
> > > half-duplex
> > > fair-queue
> > > crypto map emre
> > > !
> > > access-list 100 permit gre host 2.2.2.2 host 4.4.4.4
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:58 GMT-3