From: Mike Street (mstreet@xtra.co.nz)
Date: Sun Jun 15 2003 - 20:38:31 GMT-3
> Hi everybody,
> I have just been doing some IPSEC practise and have
> noticed a couple of things which are a bit strange.
>
> 1. My understanding was that doing NAT to an IPSEC tunnel broke it for =
> various reasons and yet I have done it and experienced no problems. I =
> expected the IPSEC SAs to not get accepted. Strange. I have included a =
> config below. Note that I was doing the NAT on another box, this config =
> was setup for PAT going to the internet. I am aware that this config =
> will not NAT the tunnel, that was the idea. Can anybody clarify this for
me?
>
> 2. In an environment where you are using IPSEC across the internet you =
> are surely going to want to have an inbound access-list on the routers =
> public interface. Naturally, this ACL must permit IKE and ESP. I have =
> found that the following happens:
>
> Encrypted packet hits the public interface of the router.
> Encrypted packet is checked against the ACL, so ESP must be allowed.
> Packet is decrypted.
> DECRYPTED PACKET IS THEN RECHECKED AGAINST THE ACL ON THE PUBLIC =
> INTERFACE!!
>
> This seems very bizarre as that means that you can not distinguish =
> between packets sourced from the internet and packets sourced through =
> the tunnel. Thus in order to accept the IPSEC traffic you have to open =
> up lots of extra holes which can also be accessed directly from the =
> internet.
>
> In my lab I was just doing pings through the tunnel but I had to permit =
> ICMP on the router's public interface to get them to work.
>
> I thought it might be a bug but I have tried several IOS versions right =
> up to 12.3 and 25xx, 827 and 837 hardware platforms with the same =
> result.
>
> If anybody has any ideas, I would love to hear from you
>
> Thanks
>
> Regards
>
> Mike Street.
>
>
> Both configs for this test at each end were logically identical, here is =
> one of them.
>
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r2501b
> !
> enable password cisco
> !
> username test privilege 5 password 0 testpassword
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> !
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key cisco address y.y.y.y
> !
> !
> crypto ipsec transform-set TO_VPN esp-des esp-md5-hmac
> !
> crypto map TO_VPN 10 ipsec-isakmp
> set peer y.y.y.y
> set transform-set TO_VPN
> match address ENCRYPT_THIS
> !
> !
> !
> !
> interface Loopback0
> no ip address
> !
> interface Ethernet0
> ip address x.x.x.x 255.255.255.0
> ip access-group 150 in
> ip nat outside
> no keepalive
> crypto map TO_VPN
> !
> interface Serial0
> ip address 11.1.1.1 255.255.255.252
> ip nat inside
> !
> interface Serial1
> bandwidth 1000
> no ip address
> shutdown
> !
> ip nat inside source list NAT_THIS interface Ethernet0 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 x.x.x.1
> no ip http server
> !
> !
> ip access-list extended ENCRYPT_THIS
> permit ip 11.1.1.0 0.0.0.3 any
> ip access-list extended NAT_THIS
> deny ip 11.1.1.0 0.0.0.3 any
> permit ip any any
> access-list 150 permit udp any any eq isakmp
> access-list 150 permit udp any eq isakmp any
> access-list 150 permit esp any any
> access-list 150 permit icmp any any
> access-list 150 deny ip any any log
> !
> snmp-server community public RO 1
> !
> line con 0
> logging synchronous
> line aux 0
> line vty 0 4
> password cisco
> login
> !
> end
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:58 GMT-3