RE: IPSEC/GRE

From: Fabrice Bobes (study@6colabs.com)
Date: Tue Jun 17 2003 - 01:11:29 GMT-3

• Next message: Yogesh J: "RE: R&S MPLS"
• Previous message: wing_lam@jossynergy.com: "ppp multilink"
• Maybe in reply to: Emre Koyuncu: "IPSEC/GRE"
• Next in thread: GokhanS@koc.net: "RE: IPSEC/GRE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Emre,

If you specify IP in your access-list 100, you will not only encrypt the
GRE tunnel (packets with protocol type=47 in the IP header) but also all
other IP packets where source and destination are equal to your loopback
0.
For example, if you telnet to 4.4.4.4 and specify lo0 (2.2.2.2) as your
source interface for Telnet, the session will be encrypted.
If you specify GRE in your access-list 100, you will not encrypt the
Telnet session but only the GRE Tunnel.

Thanks,

Fabrice

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Emre Koyuncu
Sent: Saturday, June 14, 2003 9:16 PM
To: ccielab@groupstudy.com
Subject: IPSEC/GRE

Hi Group,

Lately I have been working on a VPN project. I configured my routers for
IPSEC
and also used GRE as I need OSPF over VPN.I have a 1760 and 2620 at
each
site.2620 is connected to HQ with T1 and 1760 is connected to HQ with
VPN over
DSL (backup connection). The following is how I configured my 1760s.
This
configuration works fine but I have a strange problem.One of my friends
said
that the access-list 100 must use ip as the protocol ,not GRE. I
explained him
why it must be GRE and then set a lab to show him.First we checked with
protocol GRE and he was convinced.But after I changed access-list
protocol to
IP ,it worked again ?? How come it worked ?
Can somebody help me with this ?

For example consider a host connected to fastethernet port (not on
config)
with ip address of 8.8.8.8.He wants to ping 9.9.9.9. And 9.9.9.9 is
known
through tunnel interface. Until now I thought that the headers would be
as
follows:
ip header source 8.8.8.8 destinatin 9.9.9.9
gre header source 2.2.2.2 destination 4.4.4.4
esp source 5.5.5.5 destination 1.1.1.1

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key x.x.x.x address 1.1.1.1
!
!
crypto ipsec transform-set 1 esp-3des esp-md5-hmac
!
crypto map emre 1 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set 1
 match address 100
!

interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface Tunnel0
 ip address 3.3.3.3 255.255.255.0
 tunnel source 2.2.2.2
 tunnel destination 4.4.4.4
 crypto map emre
!
interface Ethernet0/0
 description *Internet Connection*
 ip address 5.5.5.5 255.255.255.0
 ip access-group 101 in
 half-duplex
 fair-queue
 crypto map emre
!
access-list 100 permit gre host 2.2.2.2 host 4.4.4.4

• Next message: Yogesh J: "RE: R&S MPLS"
• Previous message: wing_lam@jossynergy.com: "ppp multilink"
• Maybe in reply to: Emre Koyuncu: "IPSEC/GRE"
• Next in thread: GokhanS@koc.net: "RE: IPSEC/GRE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:59 GMT-3