RE: Securing IPSEC VPN Tunnel - Extra Mile from Brian McGahan on 2011-11-21 (Ccielab archives 11/2011)

From: Brian McGahan <bmcgahan_at_ine.com>
Date: Mon, 21 Nov 2011 15:41:24 -0600

Watch out for recursive routing errors:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.
shtml

HTH,

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com

From: Vishal Rane [mailto:vishal.rane_at_hotmail.co.in]
Sent: Monday, November 21, 2011 3:38 PM
To: Brian McGahan
Subject: RE: Securing IPSEC VPN Tunnel - Extra Mile

Thanks Brian for quick response.

Configuring GRE Tunnel over IPSEC with OSPF - any watch-out while
configuring it?

> From: bmcgahan_at_ine.com
> To: vishal.rane_at_hotmail.co.in; ccielab_at_groupstudy.com
> Date: Mon, 21 Nov 2011 15:08:19 -0600
> Subject: RE: Securing IPSEC VPN Tunnel - Extra Mile
>
> If all the device does is terminate IPsec VPN sessions then you should
filter out all other non-IPsec packets. For example:
>
> ip access-list extended OUTSIDE_IN
> permit esp any any
> permit udp any any eq isakmp
> permit udp any any eq non500-isakmp
> deny ip any any
>
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
> -----Original Message-----
> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com]<mailto:[mailto:nobody_at_groupstudy.com]> On
Behalf Of Vishal Rane
> Sent: Monday, November 21, 2011 2:55 PM
> To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
> Subject: Securing IPSEC VPN Tunnel - Extra Mile
>
> Hi All
>
> I looked at INE Security Workbook ( VPN Section ) ; Configure IPSEC
encryption with the Cisco IOS <site to site VPN tunneling > If the Router is
dedicated only for VPN then what additional configuration is needed to secure
the Box.
>
> Not sure if Extra-Mile is covered Narbik Workbook or IP Expert
>
>
> Thanks
> Vishal
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 21 2011 - 15:41:24 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART