RE: site to site vpn and routing protocol from Sidney D'Souza on 2012-12-09 (Ccielab archives 12/2012)

From: Sidney D'Souza <mail.sidney_at_gmail.com>
Date: Sun, 9 Dec 2012 23:45:35 +0400

Just labbed it up and it does set up a neighbour ship. Strange indeed.

Regards,
Sid
Nobody's really listening, until you make a mistake...

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Jay
McMickle
Sent: 09 December 2012 23:05
To: Adesh Chaudhary
Cc: Ovais Iqbal; ccielab_at_groupstudy.com
Subject: Re: site to site vpn and routing protocol

That is a good summary!

Regards,
Jay McMickle- 3x CCNP
(R&S,Security,Design), CCIE #35355 (R&S)

From: Adesh Chaudhary
<er.adeshchaudhary_at_gmail.com>
To: Jay McMickle <jay.mcmickle_at_yahoo.com>
Cc:
Ovais Iqbal <ovais.iqball_at_yahoo.com>; "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
Sent: Sunday, December 9, 2012 12:01 PM
Subject: Re:
site to site vpn and routing protocol

As I think, IPSEC is mostly deployed
over Public Internet. IP Subnet is
generally different over both sides,
causing issues with Routing Protocols.
So GRE over IPSEC is used to address
this issue. I might be wrong, as I
havent dealt much with them.

On Sun, Dec
9, 2012 at 8:26 PM, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:

> Can you
show the output of sh IP EIGRP neigh?
>
> Can you configure the interesting
traffic for TCP traffic only in ACL 111?
> You'll notice that the EIGRP isn't
getting encrypted. It's peering outside
> of
> the tunnel, and this ACL change
will verify for you. Also, when you remove
> the
> peer keys and the tunnel
goes down, do you lose your EIGRP neighbor?
>
> Great question, and a hard one
to explain.
>
> Regards,
> Jay McMickle- CCIE #35355 (RS)
> Sent from my
iPhone 5
>
> On Dec 9, 2012, at 8:10 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
wrote:
>
> > I will share the topology here,
> >
> >
>
>
----------R1(10.0.0.1)(Fasteth0/0)---------------------------------(Fasteth0
/
> 0)(10.0.0.2)R2----------
> >
> > R1 and R2 are connected back to back over
Fas0/0. Routers are 1841
> running
> 12.4 adv security. I configured following
on R1 and replica to R2 (which i
> wont show since it will be just a
repetition)
> >
> > R1
> > crypto isakmp key 0 cisco address 10.0.0.2
> >
crypto isakmp policy 1
> > auth pre-share
> > encry des
> > hash md5
> >
group 2
> >
> > access-list 111 permit ip any any
> >
> > crypto ipsec
transform-set R1toR2 esp-des esp-md5-hmac
> > crypto map R1toR2 10
ipsec-isakmp
> > match address 111
> > set peer 10.0.0.2
> > set
transform-set R1toR2
> >
> > interface Fastethernet 0/0
> > ip address
10.0.0.1 255.255.255.0
> > crypto map R1toR2
> >
> > router eigrp 1
> > no
auto
> > network 10.0.0.0 0.0.0.255
> >
> > Now eigrp successfully forms the
neighborship, i can see the packets
> being
> encrypted/decrypted while there
is no other communication then eigrp. This
> is
> surprising for me since i
remembered for sure that protocols didnt work
> over
> ipsec since ipsec has
issues with multicast packets.
> >
> > From: Jay McMickle
<jay.mcmickle_at_yahoo.com>
> > To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> >
Sent: Sunday, December 9, 2012 6:55 PM
> > Subject: Re: site to site vpn and
routing protocol
> >
> > You'll have to see how that's happening. Most likely
the peering is
> going a
> different direction that you think (not over the
tunnel). Type "show IP
> EIGRP
> neigh or OSPF neigh" and see what IP address
and what route it's taking to
> get
> there.
> >
> > Regards,
> > Jay
McMickle- CCIE #35355 (RS)
> > Sent from my iPhone 5
> >
> > On Dec 9, 2012,
at 7:52 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
> >
> >> No there are
no tunnel interfaces thats why i am surprised that why
> eigrp/ospf are able
to run over ipsec ?
> >>
> >> From: Jay McMickle <jay.mcmickle_at_yahoo.com>
> >>
To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> >> Cc: "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
> >> Sent: Sunday, December 9, 2012 6:01 PM
> >>
Subject: Re: site to site vpn and routing protocol
> >>
> >> All you need is a
L3 interface on each end for the adjacencies. That's
> why
> GRE over IPSEC
enables dynamic protocols.
> >>
> >> If you are peering over IPSEC, what L3
interfaces is it using? Is it
> going
> over the tunnel for the peering?
> >>
> >> Regards,
> >> Jay McMickle- CCIE #35355 (RS)
> >> Sent from my iPhone 5
>
>>
> >> On Dec 9, 2012, at 3:35 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
wrote:
> >>
> >> > Hi all,
> >> >
> >> >
> >> > I was under the impression
that if i have 2 routers connected back to
> back and i run ipsec over it,
routing protocols wont work. That was the
> main
> reason we use GRE. But now
when i reconfigured it on GNS3 and on real
> routers
> (1841), i saw that
neighbor adjcancies are working fine for all protocols.
> So
> its a bit
surprising for me
> >> >
> >> >
> >> > Blogs and organic groups at
http://www.ccie.net
> >> >
> >> >
>
Received on Sun Dec 09 2012 - 23:45:35 ART

This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART