RE: IPSEC/GRE

From: GokhanS@koc.net
Date: Tue Jun 17 2003 - 06:02:15 GMT-3

• Next message: Biondino, Joseph: "RE: Extended ACL clarification."
• Previous message: Brian Dennis: "RE: Extended ACL clarification."
• Maybe in reply to: Emre Koyuncu: "IPSEC/GRE"
• Next in thread: Emre Koyuncu: "Re: IPSEC/GRE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Emre Selam,

According to your config,you tunnel encapsulate the IP packets first and then encrypt them.

Using "access-list 100 permit gre host 2.2.2.2 host 4.4.4.4" will prevent packets between 2.2.2.2 and 4.4.4.4 from being encrypted.Because these packets will not be tunnel encapsulated.

Using "access-list 100 permit ip host 2.2.2.2 host 4.4.4.4" will also encrypyt the packets between 2.2.2.2 and 4.4.4.4 which will apply to just the crypto map on physical interface.And this access-list will still continue to resolve the Source and Destination address in tunnel encapsulation because it is still an IP packet.

Gokhan.

-----Original Message-----
From: Emre Koyuncu [mailto:emrekoyuncu@hotmail.com]
Sent: Sunday, June 15, 2003 7:16 AM
To: ccielab@groupstudy.com
Subject: IPSEC/GRE

Hi Group,

Lately I have been working on a VPN project. I configured my routers for IPSEC and also used GRE as I need OSPF over VPN.I have a 1760 and 2620 at each site.2620 is connected to HQ with T1 and 1760 is connected to HQ with VPN over DSL (backup connection). The following is how I configured my 1760s. This configuration works fine but I have a strange problem.One of my friends said that the access-list 100 must use ip as the protocol ,not GRE. I explained him why it must be GRE and then set a lab to show him.First we checked with protocol GRE and he was convinced.But after I changed access-list protocol to IP ,it worked again ?? How come it worked ? Can somebody help me with this ?

For example consider a host connected to fastethernet port (not on config) with ip address of 8.8.8.8.He wants to ping 9.9.9.9. And 9.9.9.9 is known through tunnel interface. Until now I thought that the headers would be as
follows:
ip header source 8.8.8.8 destinatin 9.9.9.9
gre header source 2.2.2.2 destination 4.4.4.4
esp source 5.5.5.5 destination 1.1.1.1

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key x.x.x.x address 1.1.1.1
!
!
crypto ipsec transform-set 1 esp-3des esp-md5-hmac
!
crypto map emre 1 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set 1
 match address 100
!

interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface Tunnel0
 ip address 3.3.3.3 255.255.255.0
 tunnel source 2.2.2.2
 tunnel destination 4.4.4.4
 crypto map emre
!
interface Ethernet0/0
 description *Internet Connection*
 ip address 5.5.5.5 255.255.255.0
 ip access-group 101 in
 half-duplex
 fair-queue
 crypto map emre
!
access-list 100 permit gre host 2.2.2.2 host 4.4.4.4
 

• Next message: Biondino, Joseph: "RE: Extended ACL clarification."
• Previous message: Brian Dennis: "RE: Extended ACL clarification."
• Maybe in reply to: Emre Koyuncu: "IPSEC/GRE"
• Next in thread: Emre Koyuncu: "Re: IPSEC/GRE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:59 GMT-3