Re: VPN GRE Tunnel with crypto map problem

From: Rocco R21 (roccor21@hotmail.com)
Date: Wed May 09 2007 - 23:48:33 ART

That can vary depending on what type of encryption, hash, tunnel vs
transport, etc. I went with worst case scenerio when testing
(1500-104=1396). This mostly has to do with avoiding IP fragmentation. This
has been posted already on groupstudy and a good link to review.

http://www.groupstudy.com/form/read.php?f=7&i=109464&t=109433

Regards,

Rocco

>From: Sydney Hawke <sydneyhawke@yahoo.com>
>Reply-To: Sydney Hawke <sydneyhawke@yahoo.com>
>To: Rocco R21 <roccor21@hotmail.com>, ccielab@groupstudy.com
>Subject: Re: VPN GRE Tunnel with crypto map problem
>Date: Wed, 9 May 2007 13:55:50 -0700 (PDT)
>MIME-Version: 1.0
>Received: from lists.groupstudy.com ([207.44.210.9]) by
>bay0-mc5-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed, 9
>May 2007 13:59:25 -0700
>Received: (from sympa@localhost)by lists.groupstudy.com
>(8.12.11.20060308/8.11.6) id l49KxMgC030758;Wed, 9 May 2007 16:59:22 -0400
>Received: from groupstudy.com (www.groupstudy.com [209.51.144.7])by
>lists.groupstudy.com (8.12.11.20060308/8.11.6) with ESMTP id
>l49Ktuo9030706for <ccielab@lists.groupstudy.com>; Wed, 9 May 2007 16:55:56
>-0400
>Received: from groupstudy.com (groupstudy.com [127.0.0.1])by groupstudy.com
>(8.12.11.20060308/8.12.11) with ESMTP id l49Ku91R006606GroupStudy Mailer;
>Wed, 9 May 2007 16:56:09 -0400
>Received: (from listserver@localhost)by groupstudy.com
>(8.12.11.20060308/8.12.11/Submit) id l49Ku9FG006604for ccielabxhiddenx;
>Wed, 9 May 2007 16:56:09 -0400
>Received: from web62304.mail.re1.yahoo.com (web62304.mail.re1.yahoo.com
>[69.147.75.18]) by groupstudy.com (8.12.11.20060308/8.12.11) with SMTP id
>l49Ku7Cg006560 GroupStudy Mailer; Wed, 9 May 2007 16:56:07 -0400
>Received: (qmail 97617 invoked by uid 60001); 9 May 2007 20:55:50 -0000
>Received: from [192.44.242.18] by web62304.mail.re1.yahoo.com via HTTP;
>Wed, 09 May 2007 13:55:50 PDT
>X-Message-Info:
>LsUYwwHHNt1eOjnWK209tENBiodPOkc5Bh60P2WDQsRGbyFPOKHYmVNJaBg9SMkO
>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
>h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID;
>
>b=0V2M0WhCsxV4zoNDPDu+r/71UQ+AQM3VQPQsP5uxDLiFSaO/nzKWBpnG2K0QMCOggFSK6F78NYATC5/9fnrtZBRJ3elBaeH6wtQMzyeBpykkwL1fslUsG4cMEWX2G59fcoTG+rl24HaQPU6oAMWk+jE2svgE7/wlCrGERhiHT3M=;
>X-YMail-OSG:
>oCMJAe8VM1mi4.bDPUXFbdwgiUbAqE88qi4.Dt9KlXLHwzAWMFVtC.4KIRfcBmhcuw--
>X-Mailer: YahooMailRC/478 YahooMailWebService/0.7.41.10
>X-Converted-To-Plain-Text: from multipart/alternative by GroupStudy
>X-Converted-To-Plain-Text: Alternative section used was text/plain
>X-ASK-Info: Whitelist match [from sydneyhawke@yahoo\.com] (2007/05/09
>16:56:09)
>X-Loop: ccielab@groupstudy.com
>X-Sequence: 13644
>Errors-to: ccielab-owner@groupstudy.com
>Precedence: bulk
>X-no-archive: yes
>List-Id: <ccielab.groupstudy.com>
>List-Help: <mailto:sympa@groupstudy.com?subject=help>
>List-Subscribe: <mailto:sympa@groupstudy.com?subject=subscribe%20ccielab>
>List-Unsubscribe:
><mailto:sympa@groupstudy.com?subject=unsubscribe%20ccielab>
>List-Post: <mailto:ccielab@groupstudy.com>
>List-Owner: <mailto:ccielab-request@groupstudy.com>
>Return-Path: ccielab-owner@groupstudy.com
>X-OriginalArrivalTime: 09 May 2007 20:59:25.0081 (UTC)
>FILETIME=[ECDC5090:01C7927C]
>
>Hi,
>
>Excellent, I did what you suggested and placed the crypto map on the
>physical (actually I tested on a Fa0/0.1 too and that works) but not on the
>loopbacks as you advised.
>
> #pkts encaps: 623, #pkts encrypt: 623, #pkts digest: 623
> #pkts decaps: 630, #pkts decrypt: 630, #pkts verify: 630
>
>One more thing, I noticed that you are using ip mtu 1396 is that the
>recommended size, what is the maximum?
>
>Thanks very much for your help.
>
>Best Regards,
>
>Sydney
>
>
>
>----- Original Message ----
>From: Rocco R21 <roccor21@hotmail.com>
>To: roccor21@hotmail.com; sydneyhawke@yahoo.com; ccielab@groupstudy.com
>Sent: Wednesday, May 9, 2007 10:17:52 PM
>Subject: RE: VPN GRE Tunnel with crypto map problem
>
>
>Fiugured I show an example of what I've tested, this config encrypts all
>traffic across the GRE tunnel:
>
>
>***VPN-Hub***
>!
>version 12.3
>!
>crypto isakmp policy 1
>encr 3des
>hash md5
>authentication pre-share
>group 2
>crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>!
>crypto ipsec transform-set cisco esp-3des esp-md5-hmac
>!
>crypto map fa0/1 1 ipsec-isakmp
>set peer 192.168.23.2
>set transform-set cisco
>match address 111
>!
>interface Loopback55
>ip address 55.55.55.1 255.255.255.0
>!
>interface Tunnel44
>ip address 77.77.77.2 255.255.255.0
>ip mtu 1396
>tunnel source Loopback55
>tunnel destination 44.44.44.1
>!
>interface FastEthernet0/0
>ip address 192.168.123.1 255.255.255.0
>speed 100
>full-duplex
>!
>interface FastEthernet0/1
>ip address 192.168.23.22 255.255.255.0
> speed 100
>full-duplex
>crypto map fa0/1
>!
>router eigrp 1
>network 77.0.0.0
>network 192.168.123.1 0.0.0.0
>no auto-summary
>no eigrp log-neighbor-changes
>!
>ip route 0.0.0.0 0.0.0.0 192.168.23.2
>!
>!
>access-list 111 permit gre any any
>!
>!
>!
>***VPN-spoke***
>!
>crypto isakmp policy 1
>encr 3des
>hash md5
>authentication pre-share
>group 2
>crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>!
>crypto ipsec transform-set cisco esp-3des esp-md5-hmac
>!
>crypto map e0/0 1 ipsec-isakmp
>set peer 192.168.23.22
>set transform-set cisco
>match address 111
>!
>!
>interface Loopback0
>ip address 44.44.44.1 255.255.255.0
>!
>interface Tunnel44
>ip address 77.77.77.1 255.255.255.0
>ip mtu 1396
>tunnel source Loopback0
>tunnel destination 55.55.55.1
>!
>interface Ethernet0/0
>ip address 192.168.23.2 255.255.255.0
>ip ospf priority 240
>half-duplex
>crypto map e0/0
>!
>interface Ethernet0/1
>ip address 172.16.123.1 255.255.255.0
>half-duplex
>!
>router eigrp 1
>network 77.0.0.0
>network 172.16.123.1 0.0.0.0
>no auto-summary
>!
>ip route 0.0.0.0 0.0.0.0 192.168.23.22
>!
>access-list 111 permit gre any any
>!
>
>
>
>
>From: "Rocco R21" <roccor21@hotmail.com>
>Reply-To: "Rocco R21" <roccor21@hotmail.com>
>To: sydneyhawke@yahoo.com, ccielab@groupstudy.com
>Subject: RE: VPN GRE Tunnel with crypto map problem
>Date: Wed, 09 May 2007 15:45:49 -0400
>MIME-Version: 1.0
>X-Originating-IP: [68.193.108.117]
>X-Originating-Email: [roccor21@hotmail.com]
>X-Sender: roccor21@hotmail.com
>Received: from lists.groupstudy.com ([207.44.210.9]) by
>bay0-mc2-f3.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed, 9
>May 2007 12:50:17 -0700
>Received: (from sympa@localhost)by lists.groupstudy.com
>(8.12.11.20060308/8.11.6) id l49JoFHo029795;Wed, 9 May 2007 15:50:15 -0400
>Received: from groupstudy.com (www.groupstudy.com [209.51.144.7])by
>lists.groupstudy.com (8.12.11.20060308/8.11.6) with ESMTP id
>l49Jk3Xx029740for <ccielab@lists.groupstudy.com>; Wed, 9 May 2007 15:46:03
>-0400
>Received: from groupstudy.com (groupstudy.com [127.0.0.1])by
>groupstudy.com
>(8.12.11.20060308/8.12.11) with ESMTP id l49JkFtC031512GroupStudy Mailer;
>Wed, 9 May 2007 15:46:15 -0400
>Received: (from listserver@localhost)by groupstudy.com
>(8.12.11.20060308/8.12.11/Submit) id l49JkFjt031510for ccielabxhiddenx;
>Wed,
>9 May 2007 15:46:15 -0400
>Received: from bay0-omc2-s28.bay0.hotmail.com
>(bay0-omc2-s28.bay0.hotmail.com [65.54.246.164]) by groupstudy.com
>(8.12.11.20060308/8.12.11) with ESMTP id l49JkEG0031490 GroupStudy Mailer;
>Wed, 9 May 2007 15:46:15 -0400
>Received: from hotmail.com ([65.54.250.43]) by
>bay0-omc2-s28.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed,
>9
>May 2007 12:45:57 -0700
>Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
>Wed, 9 May 2007 12:45:57 -0700
>Received: from 65.54.250.200 by by115fd.bay115.hotmail.msn.com with HTTP;
>Wed, 09 May 2007 19:45:49 GMT
> >Try using the crypto-map on only the physical interfaces of where the
> >traffic will traverse. (ie ether or serial) Remove it from your loopbacks
> >and tunnels if your IOS is 12.2(13)T or later. The named access-list
> >'vpn' will define what you want to encrypt, in this case only between the
> >loopbacks. Your crypto policy should get a match and your ACLs
> >are mirrored so you should be fine there. Also, you may want to consider
> >going with a smaller ip mtu on the tunnels to account for the GRE/IPSec
> >header info.
> >
> >http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_field_notice09186a0080697964.shtml
> >
> >HTH,
> >
> >rr
> >
> > --------------------------------------------------------------------
> >
> > From: Sydney Hawke <sydneyhawke@yahoo.com>
> > Reply-To: Sydney Hawke <sydneyhawke@yahoo.com>
> > To: ccielab@groupstudy.com
> > Subject: VPN GRE Tunnel with crypto map problem
> > Date: Wed, 9 May 2007 12:04:36 -0700 (PDT)
> > MIME-Version: 1.0
> > Received: from lists.groupstudy.com ([207.44.210.9]) by
> > bay0-mc11-f8.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
> > Wed, 9 May 2007 12:08:20 -0700
> > Received: (from sympa@localhost)by lists.groupstudy.com
> > (8.12.11.20060308/8.11.6) id l49J8IQ2029632;Wed, 9 May 2007 15:08:18
> > -0400
> > Received: from groupstudy.com (www.groupstudy.com [209.51.144.7])by
> > lists.groupstudy.com (8.12.11.20060308/8.11.6) with ESMTP id
> > l49J4frd029584for <ccielab@lists.groupstudy.com>; Wed, 9 May 2007
> > 15:04:41 -0400
> > Received: from groupstudy.com (groupstudy.com [127.0.0.1])by
> > groupstudy.com (8.12.11.20060308/8.12.11) with ESMTP id
> > l49J4ss6029764GroupStudy Mailer; Wed, 9 May 2007 15:04:54 -0400
> > Received: (from listserver@localhost)by groupstudy.com
> > (8.12.11.20060308/8.12.11/Submit) id l49J4sQV029762for
> > ccielabxhiddenx; Wed, 9 May 2007 15:04:54 -0400
> > Received: from web62304.mail.re1.yahoo.com
> > (web62304.mail.re1.yahoo.com [69.147.75.18]) by groupstudy.com
> > (8.12.11.20060308/8.12.11) with SMTP id l49J4q8C029739 GroupStudy
> > Mailer; Wed, 9 May 2007 15:04:52 -0400
> > Received: (qmail 62902 invoked by uid 60001); 9 May 2007 19:04:36
> > -0000
> > Received: from [213.114.238.181] by web62304.mail.re1.yahoo.com via
> > HTTP; Wed, 09 May 2007 12:04:36 PDT
> > >Hi,
> > >
> > >I have been testing this a lot and I just cannot get it to work
> > (encrypt), is there anyone who are a better security person than I am
> > that can help?
> > >
> > >I appreciate your help in this.
> > >
> > >All networks advertised in OSPF
> > >
> > >ROUTER 4
> > >interface Tunnel46
> > > ip address 46.46.46.4 255.255.255.0
> > > tunnel source 4.4.4.4
> > > tunnel destination 6.6.6.6
> > > crypto map CRYPTOMAP - Is it needed or just on the source
> > interface ie the loopback?
> > >!
> > >interface Loopback0
> > > ip address 4.4.4.4 255.255.255.0
> > > crypto map CRYPTOMAP
> > >
> > >ip access-list extended VPN
> > >permit gre host 4.4.4.4 host 6.6.6.6
> > >
> > >crypto isakmp policy 1
> > > encr 3des
> > > authentication pre-share
> > > group 2
> > >
> > >crypto isakmp key CISCO address 6.6.6.6
> > >
> > >crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
> > >
> > >crypto map CRYPTOMAP 1 ipsec-isakmp
> > > set peer 6.6.6.6
> > > set transform-set TRANSFORM
> > > match address VPN
> >
> >
> >++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > >ROUTER 6
> > >interface Tunnel46
> > > ip address 46.46.46.6 255.255.255.0
> > > tunnel source 6.6.6.6
> > > tunnel destination 4.4.4.4
> > > crypto map CRYPTOMAP - Is it needed or just on the source
> > interface ie the loopback?
> > >
> > >interface Loopback0
> > > ip address 6.6.6.6 255.255.255.0
> > > crypto map CRYPTOMAP
> > >
> > >ip access-list extended VPN
> > >permit gre host 6.6.6.6 host 4.4.4.4
> > >
> > >crypto isakmp policy 1
> > > encr 3des
> > > authentication pre-share
> > > group 2
> > >
> > >crypto isakmp key CISCO address 4.4.4.4
> > >
> > >crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
> > >
> > >crypto map CRYPTOMAP 1 ipsec-isakmp
> > > set peer 4.4.4.4
> > > set transform-set TRANSFORM
> > > match address VPN
> > >
> > >
> > >Best Regards,
> > >
> > >Sydney
> > >
> > >__________________________________________________
> > >Do You Yahoo!?
> > >Tired of spam? Yahoo! Mail has the best spam protection around
> > >http://mail.yahoo.com
> > >
> >
> >_______________________________________________________________________
> > >Subscription information may be found at:
> > >http://www.groupstudy.com/list/CCIELab.html
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
>
>
>____________________________________________________________________________________
>Finding fabulous fares is fun.
>Let Yahoo! FareChase search your favorite travel sites to find flight and
>hotel bargains.
>http://farechase.yahoo.com/promo-generic-14795097
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:20 ART