RE: site to site vpn and routing protocol from George Daly on 2012-12-10 (Ccielab archives 12/2012)

From: George Daly <george.daly_at_hotmail.com>
Date: Mon, 10 Dec 2012 23:24:51 +0000

So will the EIGRP adjacency drop if neighbor statements are added, e.g if we
use unicast instead of multicast?
Cheers,George

> From: bmcgahan_at_ine.com
> To: mail.sidney_at_gmail.com; ovais.iqball_at_yahoo.com
> CC: ccielab_at_groupstudy.com
> Date: Mon, 10 Dec 2012 13:44:02 -0600
> Subject: RE: site to site vpn and routing protocol
>
> If the IPsec peers are directly connected the EIGRP will work because the
multicast isn't sent over the crypto tunnel, only the unicast. Look at the
"show crypto ipsec" counters and you'll see the EIGRP hellos aren't making it
increment. If you want to send multicast over IPsec you need to use something
like a GRE tunnel or use GETVPN.
>
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
>
>
> -----Original Message-----
> From: Sidney D'Souza [mailto:mail.sidney_at_gmail.com]
> Sent: Monday, December 10, 2012 1:22 AM
> To: 'Ovais Iqbal'; Brian McGahan
> Cc: ccielab_at_groupstudy.com
> Subject: RE: site to site vpn and routing protocol
>
> I added a layer3 hop and the eigrp peering no longer works. Debugging ip
packets shows traffic being sent to the multicast address of 224.0.0.10 over
fa0/0, but the access-list counters do not increment. So why does it work when
directly connected? Good question Ovais :)
>
> Configs In a nutshell
> ----------------------
> R1 (f0/0 10.1.1.1)<------------>R3<------------->(f0/0 192.168.1.2)R2
>
> R1#sh run | s crypto|router|ip route|ip access crypto isakmp policy 1 encr
aes authentication pre-share group 2 lifetime 28800
>
> crypto isakmp key cisco address 192.168.1.2
>
> crypto ipsec transform-set R1-2-R2 esp-aes esp-sha-hmac mode transport
crypto map R1-2-R2 1 ipsec-isakmp set peer 192.168.1.2 set transform-set
R1-2-R2 match address R1-2-R2-ACL crypto map R1-2-R2
>
> router eigrp 1
> network 10.1.1.0 0.0.0.255
> network 10.120.1.0 0.0.0.255 (loopback created for advertisements through
> eigrp)
> auto-summary
>
> ip route 192.168.1.0 255.255.255.0 10.1.1.3
>
> ip access-list extended R1-2-R2-ACL
> permit ip any any
>
> ***************************************
> R2#sh run | s crypto|router|ip route|ip access crypto isakmp policy 1 encr
aes authentication pre-share group 2 lifetime 28800 crypto isakmp key cisco
address 10.1.1.1 crypto ipsec transform-set R2-2-R1 esp-aes esp-sha-hmac mode
transport crypto map R2-2-R1 1 ipsec-isakmp set peer 10.1.1.1 set
transform-set R2-2-R1 match address R2-2-R1-ACL crypto map R2-2-R1
>
> router eigrp 1
> network 10.10.1.0 0.0.0.255 (loopback created for advertisements through
> eigrp)
> network 10.20.1.0 0.0.0.255 (loopback created for advertisements through
> eigrp)
> network 192.168.1.0 0.0.0.255
> no auto-summary
>
> ip route 10.1.1.0 255.255.255.0 192.168.1.3
>
> ip access-list extended R2-2-R1-ACL
> permit ip any any
>
> Regards,
> Sid
> Nobody's really listening, until you make a mistake...
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Ovais Iqbal
> Sent: 10 December 2012 08:39
> To: Brian McGahan
> Cc: ccielab_at_groupstudy.com
> Subject: Re: site to site vpn and routing protocol
>
> Dear Brian,
>
>
> In my case, what you think why eigrp worked over ipsec ? i remember that it
didnt use to back 2-3 years ago. I labbed it up myself and protocols wont work
in such scenario. If i dont use any tunnel interfaces (which i havent as shown
in the configuration) is it possible to shed some light on this behavior ?
>
>
>
> ________________________________
> From: Brian
> McGahan <bmcgahan_at_ine.com>
> To: Jay McMickle <jay.mcmickle_at_yahoo.com>; Sidney D'Souza
<mail.sidney_at_gmail.com>
> Cc: Adesh Chaudhary
> <er.adeshchaudhary_at_gmail.com>; Ovais Iqbal <ovais.iqball_at_yahoo.com>;
"<ccielab_at_groupstudy.com>" <ccielab_at_groupstudy.com>
> Sent: Monday, December
> 10, 2012 1:49 AM
> Subject: RE: site to site vpn and routing protocol
>
> If you
> use an IPsec Virtual Tunnel Interface (VTI) this removes the need for
running GRE, but still allows you to run layer 3 routing protocols across the
site to site tunnel. It's basically the same as GRE but there is less
overhead in the encapsulation. Also the configuration is simpler compared to
the traditional crypto map and GRE tunnel interface config:
>
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12
> -
> 4t/sec-ipsec-virt-tunnl.html
>
> There is also a Dynamic VTI that is the
> replacement for the Easy VPN dynamic crypto map.
>
> If you're going for CCIE
> Security make sure you know all the possible combinations of different
tunnels, as this is a huge portion of the exam. Also there are different
features that are and are not supported with the different types of tunnels.
>
> For example if you had a question that said "Configure an IPsec tunnel
between
> R1 and R2 to encrypt only ICMP traffic" which types of tunnels would or
would not work and why? Or likewise if the question said "Configure an IPsec
tunnel between R1 and R2 that is part of the ZBPF zone INSIDE" which types of
tunnels would or not work and why?
>
>
> HTH,
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security) bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
> -----Original Message-----
> From: nobody_at_groupstudy.com
> [mailto:nobody_at_groupstudy.com] On Behalf Of Jay McMickle
> Sent: Sunday,
> December 09, 2012 2:26 PM
> To: Sidney D'Souza
> Cc: Adesh Chaudhary; Ovais Iqbal;
> <ccielab_at_groupstudy.com>
> Subject: Re: site to site vpn and routing protocol It has to do with
directly connected interfaces. Put another layer 3 hop in between them and
you'll see that it won't peer through the tunnel without GRE.
> Regards,
> Jay McMickle- CCIE #35355 (RS)
> Sent from my iPhone 5
>
> On Dec 9, 2012,
> at 1:45 PM, "Sidney D'Souza" <mail.sidney_at_gmail.com> wrote:
>
> > Just labbed it
> up and it does set up a neighbour ship. Strange indeed.
> >
> > Regards,
> > Sid
> >
> Nobody's really listening, until you make a mistake...
> >
> > -----Original
> Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
> Behalf
> > Of Jay McMickle
> > Sent: 09 December 2012 23:05
> > To: Adesh Chaudhary
> > Cc: Ovais Iqbal; ccielab_at_groupstudy.com
> > Subject: Re: site to site vpn and
> routing protocol
> >
> > That is a good summary!
> >
> >
> >
> > Regards,
> > Jay
> McMickle- 3x CCNP
> > (R&S,Security,Design), CCIE #35355 (R&S)
> >
> >
> > From:
> Adesh Chaudhary
> > <er.adeshchaudhary_at_gmail.com>
> > To: Jay McMickle
> <jay.mcmickle_at_yahoo.com>
> > Cc:
> > Ovais Iqbal <ovais.iqball_at_yahoo.com>;
> "ccielab_at_groupstudy.com"
> > <ccielab_at_groupstudy.com>
> > Sent: Sunday, December
> 9, 2012 12:01 PM
> > Subject: Re:
> > site to site vpn and routing protocol
> >
> >
> As I think, IPSEC is mostly deployed
> > over Public Internet. IP Subnet is
> >
> generally different over both sides,
> > causing issues with Routing Protocols.
> > So GRE over IPSEC is used to address
> > this issue. I might be wrong, as I
> >
> havent dealt much with them.
> >
> >
> > On Sun, Dec
> > 9, 2012 at 8:26 PM, Jay
> McMickle <jay.mcmickle_at_yahoo.com> wrote:
> >
> >> Can you
> > show the output of sh
> IP EIGRP neigh?
> >>
> >> Can you configure the interesting
> > traffic for TCP
> traffic only in ACL 111?
> >> You'll notice that the EIGRP isn't
> > getting
> encrypted. It's peering outside
> >> of
> >> the tunnel, and this ACL change
> >
> will verify for you. Also, when you remove
> >> the
> >> peer keys and the tunnel
> > goes down, do you lose your EIGRP neighbor?
> >>
> >> Great question, and a
> hard one
> > to explain.
> >>
> >> Regards,
> >> Jay McMickle- CCIE #35355 (RS)
> >>
> Sent from my
> > iPhone 5
> >>
> >> On Dec 9, 2012, at 8:10 AM, Ovais Iqbal
> <ovais.iqball_at_yahoo.com>
> > wrote:
> >>
> >>> I will share the topology here,
> >
> ----------R1(10.0.0.1)(Fasteth0/0)---------------------------------(Fa
> >
> steth0
> > /
> >> 0)(10.0.0.2)R2----------
> >>>
> >>> R1 and R2 are connected back
> to back over
> > Fas0/0. Routers are 1841
> >> running
> >> 12.4 adv security. I
> configured following
> > on R1 and replica to R2 (which i
> >> wont show since it
> will be just a
> > repetition)
> >>>
> >>> R1
> >>> crypto isakmp key 0 cisco address
> 10.0.0.2
> > crypto isakmp policy 1
> >>> auth pre-share
> >>> encry des
> >>> hash
> md5
> > group 2
> >>>
> >>> access-list 111 permit ip any any
> >>>
> >>> crypto ipsec
> > transform-set R1toR2 esp-des esp-md5-hmac
> >>> crypto map R1toR2 10
> >
> ipsec-isakmp
> >>> match address 111
> >>> set peer 10.0.0.2
> >>> set
> >
> transform-set R1toR2
> >>>
> >>> interface Fastethernet 0/0
> >>> ip address
> >
> 10.0.0.1 255.255.255.0
> >>> crypto map R1toR2
> >>>
> >>> router eigrp 1
> >>> no
> >
> auto
> >>> network 10.0.0.0 0.0.0.255
> >>>
> >>> Now eigrp successfully forms the
> > neighborship, i can see the packets
> >> being
> >> encrypted/decrypted while
> there
> > is no other communication then eigrp. This
> >> is
> >> surprising for me
> since i
> > remembered for sure that protocols didnt work
> >> over
> >> ipsec since
> ipsec has
> > issues with multicast packets.
> >>>
> >>> From: Jay McMickle
> >
> <jay.mcmickle_at_yahoo.com>
> >>> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> > Sent:
> Sunday, December 9, 2012 6:55 PM
> >>> Subject: Re: site to site vpn and
> >
> routing protocol
> >>>
> >>> You'll have to see how that's happening. Most likely
> > the peering is
> >> going a
> >> different direction that you think (not over
> the
> > tunnel). Type "show IP
> >> EIGRP
> >> neigh or OSPF neigh" and see what IP
> address
> > and what route it's taking to
> >> get
> >> there.
> >>>
> >>> Regards,
> >>>
> Jay
> > McMickle- CCIE #35355 (RS)
> >>> Sent from my iPhone 5
> >>>
> >>> On Dec 9,
> 2012,
> > at 7:52 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
> >>>
> >>>> No
> there are
> > no tunnel interfaces thats why i am surprised that why
> >>
> eigrp/ospf are able
> > to run over ipsec ?
> >>>>
> >>>> From: Jay McMickle
> <jay.mcmickle_at_yahoo.com>
> > To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> >>>> Cc:
> "ccielab_at_groupstudy.com"
> > <ccielab_at_groupstudy.com>
> >>>> Sent: Sunday,
> December 9, 2012 6:01 PM
> > Subject: Re: site to site vpn and routing protocol
> >>>>
> >>>> All you need is a
> > L3 interface on each end for the adjacencies.
> That's
> >> why
> >> GRE over IPSEC
> > enables dynamic protocols.
> >>>>
> >>>> If you
> are peering over IPSEC, what L3
> > interfaces is it using? Is it
> >> going
> >>
> over the tunnel for the peering?
> >>>>
> >>>> Regards,
> >>>> Jay McMickle- CCIE
> #35355 (RS)
> >>>> Sent from my iPhone 5
> >>
> >>>
> >>>> On Dec 9, 2012, at 3:35
> AM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
> > wrote:
> >>>>
> >>>>> Hi all,
> >>>>>
> >>>>>
> >>>>> I was under the impression
> > that if i have 2 routers connected
> back to
> >> back and i run ipsec over it,
> > routing protocols wont work. That
> was the
> >> main
> >> reason we use GRE. But now
> > when i reconfigured it on GNS3
> and on real
> >> routers
> >> (1841), i saw that
> > neighbor adjcancies are working
> fine for all protocols.
> >> So
> >> its a bit
> > surprising for me
> >>>>>
> >>>>>
> >>>>> Blogs and organic groups at
> > http://www.ccie.net
> >
> ______________________________________________________________________
> > _
> Subscription information may be found at:
> >
> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>> Blogs and organic
> > groups at http://www.ccie.net/
> >
> ______________________________________________________________________
> > _
> Subscription information may be found at:
> >
> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic
> groups at
> > http://www.ccie.net/
> >
> ______________________________________________________________________
> > _
> Subscription information may be found at:
> >
> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > --
> > Thanks &
> > Regards,
> >
> Adesh
> > +91 99996 10511 (Delhi)
> > +91 99860 10511 (Banglore)
> >
> >
> > Blogs and
> > organic groups at http://www.ccie.net/
> >
> ______________________________________________________________________
> > _
> Subscription information may be found at:
> >
> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups
> at http://www.ccie.net
> >
> >
> ______________________________________________________________________
> > _
> Subscription information may be found at:
> >
> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups
> at http://www.ccie.net
> >
> >
> ______________________________________________________________________
> > _
> Subscription information may be found at:
> >
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at
> http://www.ccie.net
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Dec 10 2012 - 23:24:51 ART

This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART