RE: IPSEC/GRE

From: Fabrice Bobes (study@6colabs.com)
Date: Tue Jun 17 2003 - 14:46:41 GMT-3

• Next message: Bob Arthurs: "OT: Cat6500 - native or hybrid (again!)"
• Previous message: boby2kusa: "Re: Cat 6509 Cat OS Session Message when trying to access MSFC"
• Maybe in reply to: Emre Koyuncu: "IPSEC/GRE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Emre,

Are you talking about your ICMP traffic between 8.8.8.8 and 9.9.9.9?
Everything depends here on how your routes 8.0.0.0 and 9.0.0.0 are
learned.

- If they are learned via the Tunnel, then your traffic will be
encrypted since the outer header of the packet becomes
SA=2.2.2.2,DA=4.4.4.4,Prot=47.
Traffic gets GRE encapsulated and match ACL 100.
- If they are not learned via the Tunnel, the packets won't match your
ACL 100 and won't be encapsulated.

I hope it answers your question, just let me know if otherwise,

Fabrice

-----Original Message-----
From: Emre Koyuncu [mailto:emrekoyuncu@hotmail.com]
Sent: Tuesday, June 17, 2003 4:08 AM
To: Fabrice Bobes; ccielab@groupstudy.com
Subject: Re: IPSEC/GRE

Fabrice,
I don't need to encrypt IP packets where source and destination are
equal to
loop0.So I can go ahead with GRE ,I guess.
But I could not understand what you say:
You say that if I use IP in the access-list, it will also match my
traffic.I
agree that GRE is also an IP packet but my access-list is very
specific.
In my example headers are as follows.
ip header source 8.8.8.8 destinatin 9.9.9.9
gre header source 2.2.2.2 destination 4.4.4.4
esp source 5.5.5.5 destination 1.1.1.1

How come
access-list 100 permit ip host 2.2.2.2 host 4.4.4.4
matches this traffic while its IP header has different IP addresses?

----- Original Message -----
From: "Fabrice Bobes" <study@6colabs.com>
To: "'Emre Koyuncu'" <emrekoyuncu@hotmail.com>; <ccielab@groupstudy.com>
Sent: Tuesday, June 17, 2003 12:11 AM
Subject: RE: IPSEC/GRE

> Hello Emre,
>
> If you specify IP in your access-list 100, you will not only encrypt
the
> GRE tunnel (packets with protocol type=47 in the IP header) but also
all
> other IP packets where source and destination are equal to your
loopback
> 0.
> For example, if you telnet to 4.4.4.4 and specify lo0 (2.2.2.2) as
your
> source interface for Telnet, the session will be encrypted.
> If you specify GRE in your access-list 100, you will not encrypt the
> Telnet session but only the GRE Tunnel.
>
> Thanks,
>
> Fabrice
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Emre Koyuncu
> Sent: Saturday, June 14, 2003 9:16 PM
> To: ccielab@groupstudy.com
> Subject: IPSEC/GRE
>
> Hi Group,
>
> Lately I have been working on a VPN project. I configured my routers
for
> IPSEC
> and also used GRE as I need OSPF over VPN.I have a 1760 and 2620 at
> each
> site.2620 is connected to HQ with T1 and 1760 is connected to HQ with
> VPN over
> DSL (backup connection). The following is how I configured my 1760s.
> This
> configuration works fine but I have a strange problem.One of my
friends
> said
> that the access-list 100 must use ip as the protocol ,not GRE. I
> explained him
> why it must be GRE and then set a lab to show him.First we checked
with
> protocol GRE and he was convinced.But after I changed access-list
> protocol to
> IP ,it worked again ?? How come it worked ?
> Can somebody help me with this ?
>
> For example consider a host connected to fastethernet port (not on
> config)
> with ip address of 8.8.8.8.He wants to ping 9.9.9.9. And 9.9.9.9 is
> known
> through tunnel interface. Until now I thought that the headers would
be
> as
> follows:
> ip header source 8.8.8.8 destinatin 9.9.9.9
> gre header source 2.2.2.2 destination 4.4.4.4
> esp source 5.5.5.5 destination 1.1.1.1
>
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key x.x.x.x address 1.1.1.1
> !
> !
> crypto ipsec transform-set 1 esp-3des esp-md5-hmac
> !
> crypto map emre 1 ipsec-isakmp
> set peer 1.1.1.1
> set transform-set 1
> match address 100
> !
>
> interface Loopback0
> ip address 2.2.2.2 255.255.255.0
> !
> interface Tunnel0
> ip address 3.3.3.3 255.255.255.0
> tunnel source 2.2.2.2
> tunnel destination 4.4.4.4
> crypto map emre
> !
> interface Ethernet0/0
> description *Internet Connection*
> ip address 5.5.5.5 255.255.255.0
> ip access-group 101 in
> half-duplex
> fair-queue
> crypto map emre
> !
> access-list 100 permit gre host 2.2.2.2 host 4.4.4.4

• Next message: Bob Arthurs: "OT: Cat6500 - native or hybrid (again!)"
• Previous message: boby2kusa: "Re: Cat 6509 Cat OS Session Message when trying to access MSFC"
• Maybe in reply to: Emre Koyuncu: "IPSEC/GRE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:59 GMT-3