Jay, I am pasting the output of show running of R1 as well as the output you
mentioned
Current configuration : 1131 bytes
!
version 12.4
service
timestamps debug datetime msec
service timestamps log datetime msec
no service
password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no
aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 10.0.0.2
!
!
crypto ipsec transform-set R1toR2 esp-des esp-md5-hmac
!
crypto map R1toR2
10 ipsec-isakmp
set peer 10.0.0.2
set transform-set R1toR2
match address
111
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
crypto map R1toR2
!
interface FastEthernet0/1
no ip
address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 10.0.0.0
0.0.0.255
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no
ip http secure-server
!
access-list 111 permit ip any any
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging
synchronous
line aux 0
line vty 0 4
!
!
end
R1#show ip ei nei
IP-EIGRP
neighbors for process 1
H Address Interface Hold
Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.0.2 Fa0/0
13 00:02:06 118 708 0 5
R1#sh cry ip sa
interface: FastEthernet0/0
Crypto map tag: R1toR2, local addr 10.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident
(addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 41, #pkts encrypt: 41,
#pkts digest: 41
#pkts decaps: 39, #pkts decrypt: 39, #pkts verify: 39
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts
compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 24, #recv errors 0
local crypto endpt.: 10.0.0.1, remote
crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb
FastEthernet0/0
current outbound spi: 0x1A82651C(444753180)
inbound
esp sas:
spi: 0x2BD02572(735061362)
transform: esp-des
esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3,
flow_id: SW:3, crypto map: R1toR2
sa timing: remaining key lifetime
(k/sec): (4583642/3467)
IV size: 8 bytes
replay detection
support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1A82651C(444753180)
transform:
esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 4,
flow_id: SW:4, crypto map: R1toR2
sa timing: remaining key lifetime
(k/sec): (4583642/3466)
IV size: 8 bytes
replay detection
support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp
sas:
R1#qsh cry ip sa
interface: FastEthernet0/0
Crypto map tag: R1toR2,
local addr 10.0.0.1
protected vrf: (none)
local ident
(addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident
(addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 42, #pkts encrypt: 42,
#pkts digest: 42
#pkts decaps: 40, #pkts decrypt: 40, #pkts verify: 40
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts
compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 24, #recv errors 0
local crypto endpt.: 10.0.0.1, remote
crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb
FastEthernet0/0
current outbound spi: 0x1A82651C(444753180)
inbound
esp sas:
spi: 0x2BD02572(735061362)
transform: esp-des
esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3,
flow_id: SW:3, crypto map: R1toR2
sa timing: remaining key lifetime
(k/sec): (4583642/3462)
IV size: 8 bytes
replay detection
support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1A82651C(444753180)
transform:
esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 4,
flow_id: SW:4, crypto map: R1toR2
sa timing: remaining key lifetime
(k/sec): (4583642/3461)
IV size: 8 bytes
replay detection
support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp
sas:
R1#
As you can see, there is no other traffic then eigrp and its getting
encrypted !!!!
________________________________
From: Jay McMickle
<jay.mcmickle_at_yahoo.com>
To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
Cc:
"ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
Sent: Sunday, December 9,
2012 7:56 PM
Subject: Re: site to site vpn and routing protocol
Can you show
the output of sh IP EIGRP neigh?
Can you configure the interesting traffic
for TCP traffic only in ACL 111?
You'll notice that the EIGRP isn't getting
encrypted. It's peering outside of
the tunnel, and this ACL change will verify
for you. Also, when you remove the
peer keys and the tunnel goes down, do you
lose your EIGRP neighbor?
Great question, and a hard one to explain.
Regards,
Jay McMickle- CCIE #35355 (RS)
Sent from my iPhone 5
On Dec 9, 2012,
at 8:10 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
> I will share the
topology here,
>
>
----------R1(10.0.0.1)(Fasteth0/0)---------------------------------(Fasteth0/
0)(10.0.0.2)R2----------
>
> R1 and R2 are connected back to back over Fas0/0.
Routers are 1841 running
12.4 adv security. I configured following on R1 and
replica to R2 (which i
wont show since it will be just a repetition)
>
> R1
>
crypto isakmp key 0 cisco address 10.0.0.2
> crypto isakmp policy 1
> auth
pre-share
> encry des
> hash md5
> group 2
>
> access-list 111 permit ip
any any
>
> crypto ipsec transform-set R1toR2 esp-des esp-md5-hmac
> crypto
map R1toR2 10 ipsec-isakmp
> match address 111
> set peer 10.0.0.2
> set
transform-set R1toR2
>
> interface Fastethernet 0/0
> ip address 10.0.0.1
255.255.255.0
> crypto map R1toR2
>
> router eigrp 1
> no auto
> network
10.0.0.0 0.0.0.255
>
> Now eigrp successfully forms the neighborship, i can
see the packets being
encrypted/decrypted while there is no other
communication then eigrp. This is
surprising for me since i remembered for
sure that protocols didnt work over
ipsec since ipsec has issues with
multicast packets.
>
> From: Jay McMickle <jay.mcmickle_at_yahoo.com>
> To: Ovais
Iqbal <ovais.iqball_at_yahoo.com>
> Sent: Sunday, December 9, 2012 6:55 PM
>
Subject: Re: site to site vpn and routing protocol
>
> You'll have to see how
that's happening. Most likely the peering is going a
different direction that
you think (not over the tunnel). Type "show IP EIGRP
neigh or OSPF neigh" and
see what IP address and what route it's taking to get
there.
>
> Regards,
>
Jay McMickle- CCIE #35355 (RS)
> Sent from my iPhone 5
>
> On Dec 9, 2012, at
7:52 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>
>> No there are no
tunnel interfaces thats why i am surprised that why
eigrp/ospf are able to run
over ipsec ?
>>
>> From: Jay McMickle <jay.mcmickle_at_yahoo.com>
>> To: Ovais
Iqbal <ovais.iqball_at_yahoo.com>
>> Cc: "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
>> Sent: Sunday, December 9, 2012 6:01 PM
>> Subject:
Re: site to site vpn and routing protocol
>>
>> All you need is a L3 interface
on each end for the adjacencies. That's why
GRE over IPSEC enables dynamic
protocols.
>>
>> If you are peering over IPSEC, what L3 interfaces is it
using? Is it going
over the tunnel for the peering?
>>
>> Regards,
>> Jay
McMickle- CCIE #35355 (RS)
>> Sent from my iPhone 5
>>
>> On Dec 9, 2012, at
3:35 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>>
>> > Hi all,
>> >
>> >
>> > I was under the impression that if i have 2 routers connected back to
back and i run ipsec over it, routing protocols wont work. That was the main
reason we use GRE. But now when i reconfigured it on GNS3 and on real routers
(1841), i saw that neighbor adjcancies are working fine for all protocols. So
its a bit surprising for me
>> >
>> >
>> > Blogs and organic groups at
http://www.ccie.net
>> >
>> >
Received on Sun Dec 09 2012 - 09:35:46 ART
This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART