Re: site to site vpn and routing protocol from Ovais Iqbal on 2012-12-12 (Ccielab archives 12/2012)

From: Ovais Iqbal <ovais.iqball_at_yahoo.com>
Date: Tue, 11 Dec 2012 20:02:27 -0800 (PST)

No brian, i ran the debug and only multicast hellos were being exchanged and
ipsec sa counters were increasing simultaneously
________________________________
From: Brian McGahan <bmcgahan_at_ine.com>
To:
Ovais Iqbal <ovais.iqball_at_yahoo.com>
Cc: "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
Sent: Wednesday, December 12, 2012 1:04 AM
Subject:
Re: site to site vpn and routing protocol

EIGRP uses both multicast and
unicast. Most likely you are seeing the counters increment for the unicast
exchange.

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com
Internetwork Expert, Inc.
http://www.INE.com

On Dec 11, 2012, at 1:37 AM,
"Ovais Iqbal" <ovais.iqball_at_yahoo.com> wrote:

Brian i have to request you to
check it on rack also please. Whats surprising me is, i opened debug ip packet
and there were only hellos that are being transmitted on the link, and as i
see on show cry ipsec sa, its counters are also incrementing. Its eigrp hellos
that are being encrypted and these hellos initially triggered the ipsec
tunnel. Thats what shocking me, you need to lab it up
>
>
>
>
>________________________________
> From: Brian McGahan <bmcgahan_at_ine.com>
>To: Sidney D'Souza <mail.sidney_at_gmail.com>; 'Ovais Iqbal'
<ovais.iqball_at_yahoo.com>
>Cc: "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
>Sent: Tuesday, December 11, 2012 12:44 AM
>Subject:
RE: site to site vpn and routing protocol
>
>If the IPsec peers are directly
connected the EIGRP will work because the multicast isn't sent over the crypto
tunnel, only the unicast. Look at the "show crypto ipsec" counters and you'll
see the EIGRP hellos aren't making it increment. If you want to send
multicast over IPsec you need to use something like a GRE tunnel or use
GETVPN.
>
>
>Brian McGahan, CCIE #8593 (R&S/SP/Security)
>bmcgahan_at_INE.com
>
>Internetwork Expert, Inc.
>http://www.INE.com
>
>
>
>-----Original
Message-----
>From: Sidney D'Souza [mailto:mail.sidney_at_gmail.com]
>Sent:
Monday, December 10, 2012 1:22 AM
>To: 'Ovais Iqbal'; Brian McGahan
>Cc:
ccielab_at_groupstudy.com
>Subject: RE: site to site vpn and routing protocol
>
>I added a layer3 hop and the eigrp peering no longer works. Debugging ip
packets shows traffic being sent to the multicast address of 224.0.0.10 over
fa0/0, but the access-list counters do not increment. So why does it work when
directly connected? Good question Ovais :)
>
>Configs In a nutshell
>----------------------
>R1 (f0/0
10.1.1.1)<------------>R3<------------->(f0/0 192.168.1.2)R2
>
>R1#sh run | s
crypto|router|ip route|ip access
crypto isakmp policy 1 encr aes
authentication pre-share group 2 lifetime 28800
>
>crypto isakmp key cisco
address 192.168.1.2
>
>crypto ipsec transform-set R1-2-R2 esp-aes
esp-sha-hmac mode transport crypto map R1-2-R2 1 ipsec-isakmp set peer
192.168.1.2 set transform-set R1-2-R2 match address R1-2-R2-ACL crypto map
R1-2-R2
>
>router eigrp 1
>network 10.1.1.0 0.0.0.255
>network 10.120.1.0
0.0.0.255 (loopback created for advertisements through
>eigrp)
>auto-summary
>
>ip route 192.168.1.0 255.255.255.0 10.1.1.3
>
>ip access-list extended
R1-2-R2-ACL
>permit ip any any
>
>***************************************
>R2#sh run | s crypto|router|ip route|ip access crypto isakmp policy 1 encr
aes authentication pre-share group 2 lifetime 28800 crypto isakmp key cisco
address 10.1.1.1 crypto ipsec transform-set R2-2-R1 esp-aes esp-sha-hmac
mode transport crypto map R2-2-R1 1 ipsec-isakmp set peer 10.1.1.1 set
transform-set R2-2-R1 match address R2-2-R1-ACL crypto map R2-2-R1
>
>router
eigrp 1
>network 10.10.1.0 0.0.0.255 (loopback created for advertisements
through
>eigrp)
>network 10.20.1.0 0.0.0.255 (loopback created for
advertisements through
>eigrp)
>network 192.168.1.0 0.0.0.255
>no auto-summary
>
>ip route 10.1.1.0 255.255.255.0 192.168.1.3
>
>ip access-list extended
R2-2-R1-ACL
>permit ip any any
>
>Regards,
>Sid
>Nobody's really listening,
until you make a mistake...
>
>
>-----Original Message-----
>From:
nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ovais Iqbal
>Sent: 10 December 2012 08:39
>To: Brian McGahan
>Cc: ccielab_at_groupstudy.com
>Subject: Re: site to site vpn and routing protocol
>
>Dear Brian,
>
>
>In my
case, what you think why eigrp worked over ipsec ? i remember that it didnt
use to back 2-3 years ago. I labbed it up myself and protocols wont work in
such scenario. If i dont use any tunnel interfaces (which i havent as shown in
the configuration) is it possible to shed some light on this behavior ?
>
>
>
>________________________________
>From: Brian
>McGahan <bmcgahan_at_ine.com>
>To: Jay McMickle <jay.mcmickle_at_yahoo.com>; Sidney D'Souza
<mail.sidney_at_gmail.com>
>Cc: Adesh Chaudhary
><er.adeshchaudhary_at_gmail.com>;
Ovais Iqbal <ovais.iqball_at_yahoo.com>; "<ccielab_at_groupstudy.com>"
<ccielab_at_groupstudy.com>
>Sent: Monday, December
>10, 2012 1:49 AM
>Subject:
RE: site to site vpn and routing protocol
>
>If you
>use an IPsec Virtual
Tunnel Interface (VTI) this removes the need for running GRE, but still allows
you to run layer 3 routing protocols across the site to site tunnel. It's
basically the same as GRE but there is less overhead in the encapsulation.
Also the configuration is simpler compared to the traditional crypto map and
GRE tunnel interface
config:
>http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12
>-
>4t/sec-ipsec-virt-tunnl.html
>
>There is also a Dynamic VTI that is the
>replacement for the Easy VPN dynamic crypto map.
>
>If you're going for CCIE
>Security make sure you know all the possible combinations of different
tunnels, as this is a huge portion of the exam. Also there are different
features that are and are not supported with the different types of tunnels.
>
>For example if you had a question that said "Configure an IPsec tunnel
between
>R1 and R2 to encrypt only ICMP traffic" which types of tunnels would
or would not work and why? Or likewise if the question said "Configure an
IPsec tunnel between R1 and R2 that is part of the ZBPF zone INSIDE" which
types of tunnels would or not work and
why?
>
>
>HTH,
>
>Brian McGahan, CCIE
#8593 (R&S/SP/Security) bmcgahan_at_INE.com
>
>Internetwork Expert, Inc.
>http://www.INE.com
>-----Original Message-----
>From: nobody_at_groupstudy.com
>[mailto:nobody_at_groupstudy.com] On Behalf Of Jay McMickle
>Sent: Sunday,
>December 09, 2012 2:26 PM
>To: Sidney D'Souza
>Cc: Adesh Chaudhary; Ovais
Iqbal;
><ccielab_at_groupstudy.com>
>Subject: Re: site to site vpn and routing
protocol It has to do with directly connected interfaces. Put another layer 3
hop in between them and you'll see that it won't peer through the
tunnel
without GRE.
>Regards,
>Jay McMickle- CCIE #35355 (RS)
>Sent from my iPhone 5
>
>On Dec 9, 2012,
>at 1:45 PM, "Sidney D'Souza" <mail.sidney_at_gmail.com>
wrote:
>
>> Just labbed it
>up and it does set up a neighbour ship. Strange
indeed.
>>
>> Regards,
>> Sid
>>
>Nobody's really listening, until you make a
mistake...
>>
>> -----Original
>Message-----
>> From: nobody_at_groupstudy.com
[mailto:nobody_at_groupstudy.com] On
>Behalf
>> Of Jay McMickle
>> Sent: 09
December 2012 23:05
>> To: Adesh Chaudhary
>> Cc: Ovais Iqbal;
ccielab_at_groupstudy.com
>> Subject: Re: site to site vpn and
>routing protocol
>>
>> That is a good summary!
>>
>>
>>
>> Regards,
>> Jay
>McMickle- 3x
CCNP
>> (R&S,Security,Design), CCIE #35355 (R&S)
>>
>>
>> From:
>Adesh
Chaudhary
>> <er.adeshchaudhary_at_gmail.com>
>> To: Jay McMickle
><jay.mcmickle_at_yahoo.com>
>> Cc:
>> Ovais Iqbal <ovais.iqball_at_yahoo.com>;
>"ccielab_at_groupstudy.com"
>> <ccielab_at_groupstudy.com>
>> Sent: Sunday,
December
>9, 2012 12:01 PM
>> Subject: Re:
>> site to site vpn and routing
protocol
>>
>>
>As I think, IPSEC is mostly deployed
>> over Public Internet.
IP Subnet is
>>
>generally different over both sides,
>> causing issues with
Routing Protocols.
>> So GRE over IPSEC is used to address
>> this issue. I
might be wrong, as I
>>
>havent dealt much with them.
>>
>>
>> On Sun, Dec
>> 9, 2012 at 8:26 PM, Jay
>McMickle <jay.mcmickle_at_yahoo.com> wrote:
>>
>>>
Can you
>> show the output of sh
>IP EIGRP neigh?
>>>
>>> Can you configure
the interesting
>> traffic for TCP
>traffic only in ACL 111?
>>> You'll notice
that the EIGRP isn't
>>
getting
>encrypted. It's peering outside
>>> of
>>>
the tunnel, and this ACL change
>>
>will verify for you. Also, when you remove
>>> the
>>> peer keys and the tunnel
>> goes down, do you lose your EIGRP
neighbor?
>>>
>>> Great question, and a
>hard one
>> to explain.
>>>
>>>
Regards,
>>> Jay McMickle- CCIE #35355 (RS)
>>>
>Sent from my
>> iPhone 5
>>>
>>> On Dec 9, 2012, at 8:10 AM, Ovais Iqbal
><ovais.iqball_at_yahoo.com>
>>
wrote:
>>>
>>>> I will share the topology here,
>>
>----------R1(10.0.0.1)(Fasteth0/0)---------------------------------(Fa
>>
>steth0
>> /
>>> 0)(10.0.0.2)R2----------
>>>>
>>>> R1 and R2 are connected
back
>to back over
>> Fas0/0.
Routers are 1841
>>> running
>>> 12.4 adv
security. I
>configured following
>> on R1 and replica to R2 (which i
>>> wont
show since it
>will be just a
>> repetition)
>>>>
>>>> R1
>>>> crypto isakmp
key 0 cisco address
>10.0.0.2
>> crypto isakmp policy 1
>>>> auth pre-share
>>>> encry des
>>>> hash
>md5
>> group 2
>>>>
>>>> access-list 111 permit ip
any any
>>>>
>>>> crypto ipsec
>> transform-set R1toR2 esp-des esp-md5-hmac
>>>> crypto map R1toR2 10
>>
>ipsec-isakmp
>>>> match address 111
>>>> set
peer 10.0.0.2
>>>> set
>>
>transform-set R1toR2
>>>>
>>>> interface
Fastethernet 0/0
>>>> ip address
>>
>10.0.0.1 255.255.255.0
>>>> crypto map
R1toR2
>>>>
>>>>
router eigrp 1
>>>> no
>>
>auto
>>>> network 10.0.0.0
0.0.0.255
>>>>
>>>> Now eigrp successfully forms the
>> neighborship, i can
see the packets
>>> being
>>> encrypted/decrypted while
>there
>> is no other
communication then eigrp. This
>>> is
>>> surprising for me
>since i
>>
remembered for sure that protocols didnt work
>>> over
>>> ipsec since
>ipsec
has
>> issues with multicast packets.
>>>>
>>>> From: Jay McMickle
>>
><jay.mcmickle_at_yahoo.com>
>>>> To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
>>
Sent:
>Sunday, December 9, 2012 6:55 PM
>>>> Subject: Re: site to site vpn and
>>
>routing
protocol
>>>>
>>>> You'll have to see how that's happening. Most
likely
>> the peering is
>>> going a
>>> different direction that you think
(not over
>the
>> tunnel). Type "show IP
>>> EIGRP
>>> neigh or OSPF neigh"
and see what IP
>address
>> and what route it's taking to
>>> get
>>> there.
>>>>
>>>> Regards,
>>>>
>Jay
>> McMickle- CCIE #35355 (RS)
>>>> Sent from my
iPhone 5
>>>>
>>>> On Dec 9,
>2012,
>> at 7:52 AM, Ovais Iqbal
<ovais.iqball_at_yahoo.com> wrote:
>>>>
>>>>> No
>there are
>> no tunnel
interfaces thats why i am surprised that why
>>>
>eigrp/ospf are able
>> to
run over ipsec ?
>>>>>
>>>>> From: Jay
McMickle
><jay.mcmickle_at_yahoo.com>
>>
To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
>>>>> Cc:
>"ccielab_at_groupstudy.com"
>> <ccielab_at_groupstudy.com>
>>>>> Sent: Sunday,
>December 9, 2012 6:01 PM
>>
Subject: Re: site to site vpn and routing protocol
>>>>>
>>>>> All you need
is a
>> L3 interface on each end for the adjacencies.
>That's
>>> why
>>> GRE
over IPSEC
>> enables dynamic protocols.
>>>>>
>>>>> If you
>are peering over
IPSEC, what L3
>> interfaces is it using? Is
it
>>> going
>>>
>over the
tunnel for the peering?
>>>>>
>>>>> Regards,
>>>>> Jay McMickle- CCIE
>#35355
(RS)
>>>>> Sent from my iPhone 5
>>>
>>>>
>>>>> On Dec 9, 2012, at 3:35
>AM,
Ovais Iqbal <ovais.iqball_at_yahoo.com>
>> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>>
>>>>>> I was under the impression
>> that if i have 2 routers
connected
>back to
>>> back and i run ipsec over it,
>> routing protocols wont
work. That
>was the
>>> main
>>> reason we use GRE. But now
>> when i
reconfigured it on GNS3
>and on real
>>> routers
>>> (1841), i saw that
>>
neighbor adjcancies are working
>fine for all
protocols.
>>> So
>>> its a bit
>> surprising for me
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at
>>
http://www.ccie.net
>>
>______________________________________________________________________
>> _
>Subscription information may be found at:
>>
>http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>> Blogs and
organic
>> groups at http://www.ccie.net/
>>
>______________________________________________________________________
>> _
>Subscription information may be found at:
>>
>http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic
>groups at
>> http://www.ccie.net/
>>
>______________________________________________________________________
>> _
>Subscription information may be found at:
>>
>http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> --
>> Thanks &
>>
Regards,
>>
>Adesh
>> +91 99996 10511 (Delhi)
>> +91 99860 10511 (Banglore)
>>
>>
>> Blogs and
>> organic groups at http://www.ccie.net/
>>
>______________________________________________________________________
>> _
>Subscription information may be found at:
>>
>http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic
groups
>at http://www.ccie.net
>>
>>
>______________________________________________________________________
>> _
>Subscription information may be found at:
>>
>http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic
groups
>at http://www.ccie.net
>>
>>
>______________________________________________________________________
>> _
>Subscription information may be found at:
>>
>http://www.groupstudy.com/list/CCIELab.html
>
>
>Blogs and organic groups at
>http://www.ccie.net
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>Blogs and organic groups at
http://www.ccie.net
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Dec 11 2012 - 20:02:27 ART

This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART