From: Emre Koyuncu (emrekoyuncu@hotmail.com)
Date: Tue Jun 17 2003 - 08:08:10 GMT-3
Fabrice,
I don't need to encrypt IP packets where source and destination are equal to
loop0.So I can go ahead with GRE ,I guess.
But I could not understand what you say:
You say that if I use IP in the access-list, it will also match my traffic.I
agree that GRE is also an IP packet but my access-list is very specific.
In my example headers are as follows.
ip header source 8.8.8.8 destinatin 9.9.9.9
gre header source 2.2.2.2 destination 4.4.4.4
esp source 5.5.5.5 destination 1.1.1.1
How come
access-list 100 permit ip host 2.2.2.2 host 4.4.4.4
matches this traffic while its IP header has different IP addresses?
----- Original Message -----
From: "Fabrice Bobes" <study@6colabs.com>
To: "'Emre Koyuncu'" <emrekoyuncu@hotmail.com>; <ccielab@groupstudy.com>
Sent: Tuesday, June 17, 2003 12:11 AM
Subject: RE: IPSEC/GRE
> Hello Emre,
>
> If you specify IP in your access-list 100, you will not only encrypt the
> GRE tunnel (packets with protocol type=47 in the IP header) but also all
> other IP packets where source and destination are equal to your loopback
> 0.
> For example, if you telnet to 4.4.4.4 and specify lo0 (2.2.2.2) as your
> source interface for Telnet, the session will be encrypted.
> If you specify GRE in your access-list 100, you will not encrypt the
> Telnet session but only the GRE Tunnel.
>
> Thanks,
>
> Fabrice
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Emre Koyuncu
> Sent: Saturday, June 14, 2003 9:16 PM
> To: ccielab@groupstudy.com
> Subject: IPSEC/GRE
>
> Hi Group,
>
> Lately I have been working on a VPN project. I configured my routers for
> IPSEC
> and also used GRE as I need OSPF over VPN.I have a 1760 and 2620 at
> each
> site.2620 is connected to HQ with T1 and 1760 is connected to HQ with
> VPN over
> DSL (backup connection). The following is how I configured my 1760s.
> This
> configuration works fine but I have a strange problem.One of my friends
> said
> that the access-list 100 must use ip as the protocol ,not GRE. I
> explained him
> why it must be GRE and then set a lab to show him.First we checked with
> protocol GRE and he was convinced.But after I changed access-list
> protocol to
> IP ,it worked again ?? How come it worked ?
> Can somebody help me with this ?
>
> For example consider a host connected to fastethernet port (not on
> config)
> with ip address of 8.8.8.8.He wants to ping 9.9.9.9. And 9.9.9.9 is
> known
> through tunnel interface. Until now I thought that the headers would be
> as
> follows:
> ip header source 8.8.8.8 destinatin 9.9.9.9
> gre header source 2.2.2.2 destination 4.4.4.4
> esp source 5.5.5.5 destination 1.1.1.1
>
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key x.x.x.x address 1.1.1.1
> !
> !
> crypto ipsec transform-set 1 esp-3des esp-md5-hmac
> !
> crypto map emre 1 ipsec-isakmp
> set peer 1.1.1.1
> set transform-set 1
> match address 100
> !
>
> interface Loopback0
> ip address 2.2.2.2 255.255.255.0
> !
> interface Tunnel0
> ip address 3.3.3.3 255.255.255.0
> tunnel source 2.2.2.2
> tunnel destination 4.4.4.4
> crypto map emre
> !
> interface Ethernet0/0
> description *Internet Connection*
> ip address 5.5.5.5 255.255.255.0
> ip access-group 101 in
> half-duplex
> fair-queue
> crypto map emre
> !
> access-list 100 permit gre host 2.2.2.2 host 4.4.4.4
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:59 GMT-3