Re: site to site vpn and routing protocol from Adesh Chaudhary on 2012-12-09 (Ccielab archives 12/2012)

From: Adesh Chaudhary <er.adeshchaudhary_at_gmail.com>
Date: Sun, 9 Dec 2012 23:31:56 +0530

As I think, IPSEC is mostly deployed over Public Internet. IP Subnet is
generally different over both sides, causing issues with Routing Protocols.
So GRE over IPSEC is used to address this issue. I might be wrong, as I
havent dealt much with them.

On Sun, Dec 9, 2012 at 8:26 PM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:

> Can you show the output of sh IP EIGRP neigh?
>
> Can you configure the interesting traffic for TCP traffic only in ACL 111?
> You'll notice that the EIGRP isn't getting encrypted. It's peering outside
> of
> the tunnel, and this ACL change will verify for you. Also, when you remove
> the
> peer keys and the tunnel goes down, do you lose your EIGRP neighbor?
>
> Great question, and a hard one to explain.
>
> Regards,
> Jay McMickle- CCIE #35355 (RS)
> Sent from my iPhone 5
>
> On Dec 9, 2012, at 8:10 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>
> > I will share the topology here,
> >
> >
>
> ----------R1(10.0.0.1)(Fasteth0/0)---------------------------------(Fasteth0/
> 0)(10.0.0.2)R2----------
> >
> > R1 and R2 are connected back to back over Fas0/0. Routers are 1841
> running
> 12.4 adv security. I configured following on R1 and replica to R2 (which i
> wont show since it will be just a repetition)
> >
> > R1
> > crypto isakmp key 0 cisco address 10.0.0.2
> > crypto isakmp policy 1
> > auth pre-share
> > encry des
> > hash md5
> > group 2
> >
> > access-list 111 permit ip any any
> >
> > crypto ipsec transform-set R1toR2 esp-des esp-md5-hmac
> > crypto map R1toR2 10 ipsec-isakmp
> > match address 111
> > set peer 10.0.0.2
> > set transform-set R1toR2
> >
> > interface Fastethernet 0/0
> > ip address 10.0.0.1 255.255.255.0
> > crypto map R1toR2
> >
> > router eigrp 1
> > no auto
> > network 10.0.0.0 0.0.0.255
> >
> > Now eigrp successfully forms the neighborship, i can see the packets
> being
> encrypted/decrypted while there is no other communication then eigrp. This
> is
> surprising for me since i remembered for sure that protocols didnt work
> over
> ipsec since ipsec has issues with multicast packets.
> >
> > From: Jay McMickle <jay.mcmickle_at_yahoo.com>
> > To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> > Sent: Sunday, December 9, 2012 6:55 PM
> > Subject: Re: site to site vpn and routing protocol
> >
> > You'll have to see how that's happening. Most likely the peering is
> going a
> different direction that you think (not over the tunnel). Type "show IP
> EIGRP
> neigh or OSPF neigh" and see what IP address and what route it's taking to
> get
> there.
> >
> > Regards,
> > Jay McMickle- CCIE #35355 (RS)
> > Sent from my iPhone 5
> >
> > On Dec 9, 2012, at 7:52 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
> >
> >> No there are no tunnel interfaces thats why i am surprised that why
> eigrp/ospf are able to run over ipsec ?
> >>
> >> From: Jay McMickle <jay.mcmickle_at_yahoo.com>
> >> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> >> Cc: "ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
> >> Sent: Sunday, December 9, 2012 6:01 PM
> >> Subject: Re: site to site vpn and routing protocol
> >>
> >> All you need is a L3 interface on each end for the adjacencies. That's
> why
> GRE over IPSEC enables dynamic protocols.
> >>
> >> If you are peering over IPSEC, what L3 interfaces is it using? Is it
> going
> over the tunnel for the peering?
> >>
> >> Regards,
> >> Jay McMickle- CCIE #35355 (RS)
> >> Sent from my iPhone 5
> >>
> >> On Dec 9, 2012, at 3:35 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
> >>
> >> > Hi all,
> >> >
> >> >
> >> > I was under the impression that if i have 2 routers connected back to
> back and i run ipsec over it, routing protocols wont work. That was the
> main
> reason we use GRE. But now when i reconfigured it on GNS3 and on real
> routers
> (1841), i saw that neighbor adjcancies are working fine for all protocols.
> So
> its a bit surprising for me
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Thanks & Regards,
Adesh
+91 99996 10511 (Delhi)
+91 99860 10511 (Banglore)
Blogs and organic groups at http://www.ccie.net

Received on Sun Dec 09 2012 - 23:31:56 ART

This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART