RE: using both ESP and AH for IPSEC VPN between two routers

From: Richard Dumoulin (richard.dumoulin@vanco.es)
Date: Sat Apr 17 2004 - 15:47:36 GMT-3

• Next message: Alexander Arsenyev (GU/ETL): "RE: Voice Translation Rule Challenge"
• Previous message: Zack Damen: "Re: Difference Between Port Speed And CIR-- Frame-realy"
• Maybe in reply to: Murali Sethuraman: "RE: using both ESP and AH for IPSEC VPN between two routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You will only see AH matches on the acl because AHP is the outer header (ah
encapsulates esp) !!

-----Original Message-----
From: Murali Sethuraman [mailto:murali68@emirates.net.ae]
Sent: sabado, 17 de abril de 2004 19:48
To: 'kalis thomas'; security@groupstudy.com; ccielab@groupstudy.com
Subject: RE: using both ESP and AH for IPSEC VPN between two routers

Hi,

I understand this to do with the positioning of the AH & ESP headers immly
following the IPV4 header and which ever protocol is referred in the IPV4
will result in the matching ACL to allow the traffic.

Best Regards,
Murali Sethuraman

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
kalis thomas
Sent: Saturday, April 17, 2004 4:10 AM
To: security@groupstudy.com
Subject: re: using both ESP and AH for IPSEC VPN between two routers

Hello. Have the following IPSEC configuration between two 2500 routers
running 12.1(3)T whereby within my IPSEC transform-set I am defining both
the use of AH and ESP. Everything is working fine and the respective tunnel
comes up, however concerned about one issue:

a. Why am I not seeing any matches on the access-list line for ESP? [Note
tried w/GRE and yielded the same result as expected of course] ***Point of
note, if change the transform-set to the following 'crypto ipsec
transform-set MYSET esp-des esp-sha-hmac', then receive esp matches against
the acl-note matches not shown below- but would think I should also see
matches in the configuration provided below.

Thanks in advance,
TJ

Respective configs and show commands included below.

R1#sh run
Building configuration...
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
!
!
!
!
!
ip subnet-zero
ip telnet source-interface Ethernet0
no ip domain-lookup
ip domain-name cisco.com
ip host R2.cisco.com 40.2.2.2
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
!
crypto isakmp policy 10
 authentication rsa-encr
 group 2
!
!
crypto ipsec transform-set MYSET ah-sha-hmac esp-des esp-sha-hmac ! crypto
key pubkey-chain rsa addressed-key 40.2.2.2
  address 40.2.2.2
  key-string
   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DCCCBF 87F28A2F
   1A1DD99E 44364622 9B476661 D1C18696 896E7774 DB67E611 D09D6981 C384C5D7
   9B052354 9A35496A A7EB38BB C3458A79 A39CF10B B6528F6C 6B020301 0001
  quit
 !
 crypto map MYMAP 10 ipsec-isakmp
 set peer 40.2.2.2
 set transform-set MYSET
 match address 112
!
!
!
!
interface Loopback0
 ip address 10.11.11.1 255.255.255.0
!
interface Ethernet0
 ip address 10.1.1.1 255.255.255.0
 no keepalive
!
interface Serial0
 ip address 40.1.1.1 255.255.255.0
 ip access-group 199 in
 no fair-queue
 clockrate 64000
 crypto map MYMAP
!
interface Serial1
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.255.255.255 area 0
!
ip classless
ip route 10.2.2.0 255.255.255.0 40.1.1.3
ip route 40.2.2.0 255.255.255.0 40.1.1.3
no ip http server
!
access-list 102 permit gre host 40.1.1.1 host 40.2.2.2 access-list 102
permit gre host 40.2.2.2 host 40.1.1.1 access-list 112 permit ip 10.1.1.0
0.0.0.255 10.2.2.0 0.0.0.255 access-list 198 permit ahp any any access-list
199 permit gre host 40.2.2.2 host 40.1.1.1 access-list 199 permit udp host
40.2.2.2 eq isakmp host 40.1.1.1 eq isakmp access-list 199 permit esp host
40.2.2.2 host 40.1.1.1 access-list 199 permit ahp host 40.2.2.2 host
40.1.1.1 access-list 199 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 199 deny ip any any log
!
line con 0
 transport input none
line aux 0
line vty 0 4
 privilege level 15
 no login
!
end
R1#sh crypto engine conn active
  ID Interface IP-Address State Algorithm Encrypt
Decrypt
  12 <none> <none> set HMAC_SHA+DES_56_CB 0
0
2000 Serial0 40.1.1.1 set HMAC_SHA 0
27
2001 Serial0 40.1.1.1 set HMAC_SHA 27
0
2002 Serial0 40.1.1.1 set HMAC_SHA+DES_56_CB 0
27
2003 Serial0 40.1.1.1 set HMAC_SHA+DES_56_CB 27
0

R1#sh access-list 199
Extended IP access list 199
    permit gre host 40.2.2.2 host 40.1.1.1
    permit udp host 40.2.2.2 eq isakmp host 40.1.1.1 eq isakmp (10
matches)
    permit esp host 40.2.2.2 host 40.1.1.1
    permit ahp host 40.2.2.2 host 40.1.1.1 (27 matches)
    permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 (54 matches)
    deny ip any any log

R1#sh crypto ipsec trans
Transform set MYSET: { ah-md5-hmac }
   will negotiate = { Tunnel, },
   { esp-des esp-md5-hmac }
   will negotiate = { Tunnel, },

R1#10.2.2.2
Trying 10.2.2.2 ... Open
R2#term len 0
R2#sh run
Building configuration...
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
!
!
!
!
!
ip subnet-zero
ip cef
no ip domain-lookup
ip domain-name cisco.com
ip host R1.cisco.com 40.1.1.1
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
!
crypto isakmp policy 10
 authentication rsa-encr
 group 2
!
!
crypto ipsec transform-set MYSET ah-sha-hmac esp-des esp-sha-hmac ! crypto
key pubkey-chain rsa addressed-key 40.1.1.1
  address 40.1.1.1
  key-string
   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 0099ED41 BA42CD47
   2CB47D67 B7139256 34ABFFAD 32657E56 0D13232C 8D9B5FF0 AD218A2B 2FDBCEF8
   87CCAAF6 D5A2CEB1 FD8527C0 6A71AA42 BA65B48C 9BB50D52 31020301 0001
  quit
 !
 crypto map MYMAP 10 ipsec-isakmp
 set peer 40.1.1.1
 set transform-set MYSET
 match address 112
!
!
!
!
interface Loopback0
 ip address 10.22.22.2 255.255.255.0
!
interface Ethernet0
 ip address 10.2.2.2 255.255.255.0
 no keepalive
!
interface Serial0
 no ip address
 shutdown
!
interface Serial1
 ip address 40.2.2.2 255.255.255.0
 ip verify unicast reverse-path
 clockrate 64000
 crypto map MYMAP
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.255.255.255 area 0
!
ip classless
ip route 10.1.1.0 255.255.255.0 40.2.2.3
ip route 40.1.1.0 255.255.255.0 40.2.2.3
no ip http server
!
access-list 102 permit gre host 40.2.2.2 host 40.1.1.1 access-list 112
permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ! line con 0 transport
input none line aux 0 line vty 0 4 privilege level 15 no login ! end R2#

---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th

• Next message: Alexander Arsenyev (GU/ETL): "RE: Voice Translation Rule Challenge"
• Previous message: Zack Damen: "Re: Difference Between Port Speed And CIR-- Frame-realy"
• Maybe in reply to: Murali Sethuraman: "RE: using both ESP and AH for IPSEC VPN between two routers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:49 GMT-3