RE: site to site vpn and routing protocol

I added a layer3 hop and the eigrp peering no longer works. Debugging ip
packets shows traffic being sent to the multicast address of 224.0.0.10 over
fa0/0, but the access-list counters do not increment. So why does it work
when directly connected? Good question Ovais :)

Configs In a nutshell
----------------------
R1 (f0/0 10.1.1.1)<------------>R3<------------->(f0/0 192.168.1.2)R2

R1#sh run | s crypto|router|ip route|ip access
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 28800

crypto isakmp key cisco address 192.168.1.2

crypto ipsec transform-set R1-2-R2 esp-aes esp-sha-hmac
 mode transport
crypto map R1-2-R2 1 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set R1-2-R2
 match address R1-2-R2-ACL
 crypto map R1-2-R2

router eigrp 1
 network 10.1.1.0 0.0.0.255
 network 10.120.1.0 0.0.0.255 (loopback created for advertisements through
eigrp)
 auto-summary

ip route 192.168.1.0 255.255.255.0 10.1.1.3

ip access-list extended R1-2-R2-ACL
 permit ip any any

***************************************
R2#sh run | s crypto|router|ip route|ip access
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key cisco address 10.1.1.1
crypto ipsec transform-set R2-2-R1 esp-aes esp-sha-hmac
 mode transport
crypto map R2-2-R1 1 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set R2-2-R1
 match address R2-2-R1-ACL
 crypto map R2-2-R1

router eigrp 1
 network 10.10.1.0 0.0.0.255 (loopback created for advertisements through
eigrp)
 network 10.20.1.0 0.0.0.255 (loopback created for advertisements through
eigrp)
 network 192.168.1.0 0.0.0.255
 no auto-summary

ip route 10.1.1.0 255.255.255.0 192.168.1.3

ip access-list extended R2-2-R1-ACL
 permit ip any any

Regards,
Sid
Nobody's really listening, until you make a mistake...

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Ovais Iqbal
Sent: 10 December 2012 08:39
To: Brian McGahan
Cc: ccielab_at_groupstudy.com
Subject: Re: site to site vpn and routing protocol

Dear Brian,

In my case, what you think why eigrp worked over ipsec ? i remember that it
didnt use to back 2-3 years ago. I labbed it up myself and protocols wont
work in such scenario. If i dont use any tunnel interfaces (which i havent
as shown in the configuration) is it possible to shed some light on this
behavior ?

________________________________
 From: Brian
McGahan <bmcgahan_at_ine.com>
To: Jay McMickle <jay.mcmickle_at_yahoo.com>; Sidney D'Souza
<mail.sidney_at_gmail.com>
Cc: Adesh Chaudhary
<er.adeshchaudhary_at_gmail.com>; Ovais Iqbal <ovais.iqball_at_yahoo.com>;
"<ccielab_at_groupstudy.com>" <ccielab_at_groupstudy.com>
Sent: Monday, December
10, 2012 1:49 AM
Subject: RE: site to site vpn and routing protocol
 
If you
use an IPsec Virtual Tunnel Interface (VTI) this removes the need for
running GRE, but still allows you to run layer 3 routing protocols across
the site to site tunnel. It's basically the same as GRE but there is less
overhead in the encapsulation. Also the configuration is simpler compared
to the traditional crypto map and GRE tunnel interface config:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12
-
4t/sec-ipsec-virt-tunnl.html

There is also a Dynamic VTI that is the
replacement for the Easy VPN dynamic crypto map.

If you're going for CCIE
Security make sure you know all the possible combinations of different
tunnels, as this is a huge portion of the exam. Also there are different
features that are and are not supported with the different types of tunnels.

For example if you had a question that said "Configure an IPsec tunnel
between
R1 and R2 to encrypt only ICMP traffic" which types of tunnels would or
would not work and why? Or likewise if the question said "Configure an
IPsec tunnel between R1 and R2 that is part of the ZBPF zone INSIDE" which
types of tunnels would or not work and why?

HTH,

Brian McGahan, CCIE #8593 (R&S/SP/Security) bmcgahan_at_INE.com
 
Internetwork Expert, Inc.
http://www.INE.com
-----Original Message-----
From: nobody_at_groupstudy.com
[mailto:nobody_at_groupstudy.com] On Behalf Of Jay McMickle
Sent: Sunday,
December 09, 2012 2:26 PM
To: Sidney D'Souza
Cc: Adesh Chaudhary; Ovais Iqbal;
<ccielab_at_groupstudy.com>
Subject: Re: site to site vpn and routing protocol It has to do with
directly connected interfaces. Put another layer 3 hop in between them and
you'll see that it won't peer through the tunnel without GRE.
Regards,
Jay McMickle- CCIE #35355 (RS)
Sent from my iPhone 5

On Dec 9, 2012,
at 1:45 PM, "Sidney D'Souza" <mail.sidney_at_gmail.com> wrote:

> Just labbed it
up and it does set up a neighbour ship. Strange indeed.
>
> Regards,
> Sid
>
Nobody's really listening, until you make a mistake...
>
> -----Original
Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
Behalf
> Of Jay McMickle
> Sent: 09 December 2012 23:05
> To: Adesh Chaudhary
> Cc: Ovais Iqbal; ccielab_at_groupstudy.com
> Subject: Re: site to site vpn and
routing protocol
>
> That is a good summary!
>
>
>
> Regards,
> Jay
McMickle- 3x CCNP
> (R&S,Security,Design), CCIE #35355 (R&S)
>
>
> From:
Adesh Chaudhary
> <er.adeshchaudhary_at_gmail.com>
> To: Jay McMickle
<jay.mcmickle_at_yahoo.com>
> Cc:
> Ovais Iqbal <ovais.iqball_at_yahoo.com>;
"ccielab_at_groupstudy.com"
> <ccielab_at_groupstudy.com>
> Sent: Sunday, December
9, 2012 12:01 PM
> Subject: Re:
> site to site vpn and routing protocol
>
>
As I think, IPSEC is mostly deployed
> over Public Internet. IP Subnet is
>
generally different over both sides,
> causing issues with Routing Protocols.
> So GRE over IPSEC is used to address
> this issue. I might be wrong, as I
>
havent dealt much with them.
>
>
> On Sun, Dec
> 9, 2012 at 8:26 PM, Jay
McMickle <jay.mcmickle_at_yahoo.com> wrote:
>
>> Can you
> show the output of sh
IP EIGRP neigh?
>>
>> Can you configure the interesting
> traffic for TCP
traffic only in ACL 111?
>> You'll notice that the EIGRP isn't
> getting
encrypted. It's peering outside
>> of
>> the tunnel, and this ACL change
>
will verify for you. Also, when you remove
>> the
>> peer keys and the tunnel
> goes down, do you lose your EIGRP neighbor?
>>
>> Great question, and a
hard one
> to explain.
>>
>> Regards,
>> Jay McMickle- CCIE #35355 (RS)
>>
Sent from my
> iPhone 5
>>
>> On Dec 9, 2012, at 8:10 AM, Ovais Iqbal
<ovais.iqball_at_yahoo.com>
> wrote:
>>
>>> I will share the topology here,
>
----------R1(10.0.0.1)(Fasteth0/0)---------------------------------(Fa
>
steth0
> /
>> 0)(10.0.0.2)R2----------
>>>
>>> R1 and R2 are connected back
to back over
> Fas0/0. Routers are 1841
>> running
>> 12.4 adv security. I
configured following
> on R1 and replica to R2 (which i
>> wont show since it
will be just a
> repetition)
>>>
>>> R1
>>> crypto isakmp key 0 cisco address
10.0.0.2
> crypto isakmp policy 1
>>> auth pre-share
>>> encry des
>>> hash
md5
> group 2
>>>
>>> access-list 111 permit ip any any
>>>
>>> crypto ipsec
> transform-set R1toR2 esp-des esp-md5-hmac
>>> crypto map R1toR2 10
>
ipsec-isakmp
>>> match address 111
>>> set peer 10.0.0.2
>>> set
>
transform-set R1toR2
>>>
>>> interface Fastethernet 0/0
>>> ip address
>
10.0.0.1 255.255.255.0
>>> crypto map R1toR2
>>>
>>> router eigrp 1
>>> no
>
auto
>>> network 10.0.0.0 0.0.0.255
>>>
>>> Now eigrp successfully forms the
> neighborship, i can see the packets
>> being
>> encrypted/decrypted while
there
> is no other communication then eigrp. This
>> is
>> surprising for me
since i
> remembered for sure that protocols didnt work
>> over
>> ipsec since
ipsec has
> issues with multicast packets.
>>>
>>> From: Jay McMickle
>
<jay.mcmickle_at_yahoo.com>
>>> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> Sent:
Sunday, December 9, 2012 6:55 PM
>>> Subject: Re: site to site vpn and
>
routing protocol
>>>
>>> You'll have to see how that's happening. Most likely
> the peering is
>> going a
>> different direction that you think (not over
the
> tunnel). Type "show IP
>> EIGRP
>> neigh or OSPF neigh" and see what IP
address
> and what route it's taking to
>> get
>> there.
>>>
>>> Regards,
>>>
Jay
> McMickle- CCIE #35355 (RS)
>>> Sent from my iPhone 5
>>>
>>> On Dec 9,
2012,
> at 7:52 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>>>
>>>> No
there are
> no tunnel interfaces thats why i am surprised that why
>>
eigrp/ospf are able
> to run over ipsec ?
>>>>
>>>> From: Jay McMickle
<jay.mcmickle_at_yahoo.com>
> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
>>>> Cc:
"ccielab_at_groupstudy.com"
> <ccielab_at_groupstudy.com>
>>>> Sent: Sunday,
December 9, 2012 6:01 PM
> Subject: Re: site to site vpn and routing protocol
>>>>
>>>> All you need is a
> L3 interface on each end for the adjacencies.
That's
>> why
>> GRE over IPSEC
> enables dynamic protocols.
>>>>
>>>> If you
are peering over IPSEC, what L3
> interfaces is it using? Is it
>> going
>>
over the tunnel for the peering?
>>>>
>>>> Regards,
>>>> Jay McMickle- CCIE
#35355 (RS)
>>>> Sent from my iPhone 5
>>
>>>
>>>> On Dec 9, 2012, at 3:35
AM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>>
>>>>> I was under the impression
> that if i have 2 routers connected
back to
>> back and i run ipsec over it,
> routing protocols wont work. That
was the
>> main
>> reason we use GRE. But now
> when i reconfigured it on GNS3
and on real
>> routers
>> (1841), i saw that
> neighbor adjcancies are working
fine for all protocols.
>> So
>> its a bit
> surprising for me
>>>>>
>>>>>
>>>>> Blogs and organic groups at
> http://www.ccie.net
>
Received on Mon Dec 10 2012 - 11:21:39 ART