From: Gary Duncanson (gary.duncanson@googlemail.com)
Date: Wed May 09 2007 - 18:31:56 ART
Hi Sydney,
These links cover MTU and GRE. Fragmentation can be an issue.
HTH
http://www.cisco.com/warp/public/105/56.html
http://www.cisco.com/warp/public/105/pmtud_ipfrag.html
Gary
----- Original Message -----
From: "Sydney Hawke" <sydneyhawke@yahoo.com>
To: "Rocco R21" <roccor21@hotmail.com>; <ccielab@groupstudy.com>
Sent: Wednesday, May 09, 2007 9:55 PM
Subject: Re: VPN GRE Tunnel with crypto map problem
> Hi,
>
> Excellent, I did what you suggested and placed the crypto map on the
> physical (actually I tested on a Fa0/0.1 too and that works) but not on
> the loopbacks as you advised.
>
> #pkts encaps: 623, #pkts encrypt: 623, #pkts digest: 623
> #pkts decaps: 630, #pkts decrypt: 630, #pkts verify: 630
>
> One more thing, I noticed that you are using ip mtu 1396 is that the
> recommended size, what is the maximum?
>
> Thanks very much for your help.
>
> Best Regards,
>
> Sydney
>
>
>
> ----- Original Message ----
> From: Rocco R21 <roccor21@hotmail.com>
> To: roccor21@hotmail.com; sydneyhawke@yahoo.com; ccielab@groupstudy.com
> Sent: Wednesday, May 9, 2007 10:17:52 PM
> Subject: RE: VPN GRE Tunnel with crypto map problem
>
>
> Fiugured I show an example of what I've tested, this config encrypts all
> traffic across the GRE tunnel:
>
>
> ***VPN-Hub***
> !
> version 12.3
> !
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
> !
> crypto ipsec transform-set cisco esp-3des esp-md5-hmac
> !
> crypto map fa0/1 1 ipsec-isakmp
> set peer 192.168.23.2
> set transform-set cisco
> match address 111
> !
> interface Loopback55
> ip address 55.55.55.1 255.255.255.0
> !
> interface Tunnel44
> ip address 77.77.77.2 255.255.255.0
> ip mtu 1396
> tunnel source Loopback55
> tunnel destination 44.44.44.1
> !
> interface FastEthernet0/0
> ip address 192.168.123.1 255.255.255.0
> speed 100
> full-duplex
> !
> interface FastEthernet0/1
> ip address 192.168.23.22 255.255.255.0
> speed 100
> full-duplex
> crypto map fa0/1
> !
> router eigrp 1
> network 77.0.0.0
> network 192.168.123.1 0.0.0.0
> no auto-summary
> no eigrp log-neighbor-changes
> !
> ip route 0.0.0.0 0.0.0.0 192.168.23.2
> !
> !
> access-list 111 permit gre any any
> !
> !
> !
> ***VPN-spoke***
> !
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
> !
> crypto ipsec transform-set cisco esp-3des esp-md5-hmac
> !
> crypto map e0/0 1 ipsec-isakmp
> set peer 192.168.23.22
> set transform-set cisco
> match address 111
> !
> !
> interface Loopback0
> ip address 44.44.44.1 255.255.255.0
> !
> interface Tunnel44
> ip address 77.77.77.1 255.255.255.0
> ip mtu 1396
> tunnel source Loopback0
> tunnel destination 55.55.55.1
> !
> interface Ethernet0/0
> ip address 192.168.23.2 255.255.255.0
> ip ospf priority 240
> half-duplex
> crypto map e0/0
> !
> interface Ethernet0/1
> ip address 172.16.123.1 255.255.255.0
> half-duplex
> !
> router eigrp 1
> network 77.0.0.0
> network 172.16.123.1 0.0.0.0
> no auto-summary
> !
> ip route 0.0.0.0 0.0.0.0 192.168.23.22
> !
> access-list 111 permit gre any any
> !
>
>
>
>
> From: "Rocco R21" <roccor21@hotmail.com>
> Reply-To: "Rocco R21" <roccor21@hotmail.com>
> To: sydneyhawke@yahoo.com, ccielab@groupstudy.com
> Subject: RE: VPN GRE Tunnel with crypto map problem
> Date: Wed, 09 May 2007 15:45:49 -0400
> MIME-Version: 1.0
> X-Originating-IP: [68.193.108.117]
> X-Originating-Email: [roccor21@hotmail.com]
> X-Sender: roccor21@hotmail.com
> Received: from lists.groupstudy.com ([207.44.210.9]) by
> bay0-mc2-f3.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed, 9
> May 2007 12:50:17 -0700
> Received: (from sympa@localhost)by lists.groupstudy.com
> (8.12.11.20060308/8.11.6) id l49JoFHo029795;Wed, 9 May 2007 15:50:15 -0400
> Received: from groupstudy.com (www.groupstudy.com [209.51.144.7])by
> lists.groupstudy.com (8.12.11.20060308/8.11.6) with ESMTP id
> l49Jk3Xx029740for <ccielab@lists.groupstudy.com>; Wed, 9 May 2007 15:46:03
> -0400
> Received: from groupstudy.com (groupstudy.com [127.0.0.1])by
> groupstudy.com
> (8.12.11.20060308/8.12.11) with ESMTP id l49JkFtC031512GroupStudy Mailer;
> Wed, 9 May 2007 15:46:15 -0400
> Received: (from listserver@localhost)by groupstudy.com
> (8.12.11.20060308/8.12.11/Submit) id l49JkFjt031510for ccielabxhiddenx;
> Wed,
> 9 May 2007 15:46:15 -0400
> Received: from bay0-omc2-s28.bay0.hotmail.com
> (bay0-omc2-s28.bay0.hotmail.com [65.54.246.164]) by groupstudy.com
> (8.12.11.20060308/8.12.11) with ESMTP id l49JkEG0031490 GroupStudy Mailer;
> Wed, 9 May 2007 15:46:15 -0400
> Received: from hotmail.com ([65.54.250.43]) by
> bay0-omc2-s28.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed,
> 9
> May 2007 12:45:57 -0700
> Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
> Wed, 9 May 2007 12:45:57 -0700
> Received: from 65.54.250.200 by by115fd.bay115.hotmail.msn.com with HTTP;
> Wed, 09 May 2007 19:45:49 GMT
>>Try using the crypto-map on only the physical interfaces of where the
>>traffic will traverse. (ie ether or serial) Remove it from your loopbacks
>>and tunnels if your IOS is 12.2(13)T or later. The named access-list
>>'vpn' will define what you want to encrypt, in this case only between the
>>loopbacks. Your crypto policy should get a match and your ACLs
>>are mirrored so you should be fine there. Also, you may want to consider
>>going with a smaller ip mtu on the tunnels to account for the GRE/IPSec
>>header info.
>>
>>http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_field_notice09186a0080697964.shtml
>>
>>HTH,
>>
>>rr
>>
>> --------------------------------------------------------------------
>>
>> From: Sydney Hawke <sydneyhawke@yahoo.com>
>> Reply-To: Sydney Hawke <sydneyhawke@yahoo.com>
>> To: ccielab@groupstudy.com
>> Subject: VPN GRE Tunnel with crypto map problem
>> Date: Wed, 9 May 2007 12:04:36 -0700 (PDT)
>> MIME-Version: 1.0
>> Received: from lists.groupstudy.com ([207.44.210.9]) by
>> bay0-mc11-f8.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
>> Wed, 9 May 2007 12:08:20 -0700
>> Received: (from sympa@localhost)by lists.groupstudy.com
>> (8.12.11.20060308/8.11.6) id l49J8IQ2029632;Wed, 9 May 2007 15:08:18
>> -0400
>> Received: from groupstudy.com (www.groupstudy.com [209.51.144.7])by
>> lists.groupstudy.com (8.12.11.20060308/8.11.6) with ESMTP id
>> l49J4frd029584for <ccielab@lists.groupstudy.com>; Wed, 9 May 2007
>> 15:04:41 -0400
>> Received: from groupstudy.com (groupstudy.com [127.0.0.1])by
>> groupstudy.com (8.12.11.20060308/8.12.11) with ESMTP id
>> l49J4ss6029764GroupStudy Mailer; Wed, 9 May 2007 15:04:54 -0400
>> Received: (from listserver@localhost)by groupstudy.com
>> (8.12.11.20060308/8.12.11/Submit) id l49J4sQV029762for
>> ccielabxhiddenx; Wed, 9 May 2007 15:04:54 -0400
>> Received: from web62304.mail.re1.yahoo.com
>> (web62304.mail.re1.yahoo.com [69.147.75.18]) by groupstudy.com
>> (8.12.11.20060308/8.12.11) with SMTP id l49J4q8C029739 GroupStudy
>> Mailer; Wed, 9 May 2007 15:04:52 -0400
>> Received: (qmail 62902 invoked by uid 60001); 9 May 2007 19:04:36
>> -0000
>> Received: from [213.114.238.181] by web62304.mail.re1.yahoo.com via
>> HTTP; Wed, 09 May 2007 12:04:36 PDT
>> >Hi,
>> >
>> >I have been testing this a lot and I just cannot get it to work
>> (encrypt), is there anyone who are a better security person than I am
>> that can help?
>> >
>> >I appreciate your help in this.
>> >
>> >All networks advertised in OSPF
>> >
>> >ROUTER 4
>> >interface Tunnel46
>> > ip address 46.46.46.4 255.255.255.0
>> > tunnel source 4.4.4.4
>> > tunnel destination 6.6.6.6
>> > crypto map CRYPTOMAP - Is it needed or just on the source
>> interface ie the loopback?
>> >!
>> >interface Loopback0
>> > ip address 4.4.4.4 255.255.255.0
>> > crypto map CRYPTOMAP
>> >
>> >ip access-list extended VPN
>> >permit gre host 4.4.4.4 host 6.6.6.6
>> >
>> >crypto isakmp policy 1
>> > encr 3des
>> > authentication pre-share
>> > group 2
>> >
>> >crypto isakmp key CISCO address 6.6.6.6
>> >
>> >crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
>> >
>> >crypto map CRYPTOMAP 1 ipsec-isakmp
>> > set peer 6.6.6.6
>> > set transform-set TRANSFORM
>> > match address VPN
>>
>> >++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> >ROUTER 6
>> >interface Tunnel46
>> > ip address 46.46.46.6 255.255.255.0
>> > tunnel source 6.6.6.6
>> > tunnel destination 4.4.4.4
>> > crypto map CRYPTOMAP - Is it needed or just on the source
>> interface ie the loopback?
>> >
>> >interface Loopback0
>> > ip address 6.6.6.6 255.255.255.0
>> > crypto map CRYPTOMAP
>> >
>> >ip access-list extended VPN
>> >permit gre host 6.6.6.6 host 4.4.4.4
>> >
>> >crypto isakmp policy 1
>> > encr 3des
>> > authentication pre-share
>> > group 2
>> >
>> >crypto isakmp key CISCO address 4.4.4.4
>> >
>> >crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
>> >
>> >crypto map CRYPTOMAP 1 ipsec-isakmp
>> > set peer 4.4.4.4
>> > set transform-set TRANSFORM
>> > match address VPN
>> >
>> >
>> >Best Regards,
>> >
>> >Sydney
>> >
>> >__________________________________________________
>> >Do You Yahoo!?
>> >Tired of spam? Yahoo! Mail has the best spam protection around
>> >http://mail.yahoo.com
>> >
>>
>> >_______________________________________________________________________
>> >Subscription information may be found at:
>> >http://www.groupstudy.com/list/CCIELab.html
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>
>
> ____________________________________________________________________________________
> Finding fabulous fares is fun.
> Let Yahoo! FareChase search your favorite travel sites to find flight and
> hotel bargains.
> http://farechase.yahoo.com/promo-generic-14795097
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:20 ART