Re: site to site vpn and routing protocol

Then it's not working, because EIGRP uses unicast to synchronize the topology.

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com

On Dec 11, 2012, at 10:02 PM, "Ovais Iqbal" <ovais.iqball_at_yahoo.com<mailto:ovais.iqball_at_yahoo.com>> wrote:

No brian, i ran the debug and only multicast hellos were being exchanged and ipsec sa counters were increasing simultaneously

________________________________
From: Brian McGahan <bmcgahan_at_ine.com<mailto:bmcgahan_at_ine.com>>
To: Ovais Iqbal <ovais.iqball_at_yahoo.com<mailto:ovais.iqball_at_yahoo.com>>
Cc: "ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>" <ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
Sent: Wednesday, December 12, 2012 1:04 AM
Subject: Re: site to site vpn and routing protocol

EIGRP uses both multicast and unicast. Most likely you are seeing the counters increment for the unicast exchange.

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>

On Dec 11, 2012, at 1:37 AM, "Ovais Iqbal" <ovais.iqball_at_yahoo.com<mailto:ovais.iqball_at_yahoo.com>> wrote:

Brian i have to request you to check it on rack also please. Whats surprising me is, i opened debug ip packet and there were only hellos that are being transmitted on the link, and as i see on show cry ipsec sa, its counters are also incrementing. Its eigrp hellos that are being encrypted and these hellos initially triggered the ipsec tunnel. Thats what shocking me, you need to lab it up

________________________________
From: Brian McGahan <bmcgahan_at_ine.com<mailto:bmcgahan_at_ine.com>>
To: Sidney D'Souza <mail.sidney_at_gmail.com<mailto:mail.sidney_at_gmail.com>>; 'Ovais Iqbal' <ovais.iqball_at_yahoo.com<mailto:ovais.iqball_at_yahoo.com>>
Cc: "ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>" <ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
Sent: Tuesday, December 11, 2012 12:44 AM
Subject: RE: site to site vpn and routing protocol

If the IPsec peers are directly connected the EIGRP will work because the multicast isn't sent over the crypto tunnel, only the unicast. Look at the "show crypto ipsec" counters and you'll see the EIGRP hellos aren't making it increment. If you want to send multicast over IPsec you need to use something like a GRE tunnel or use GETVPN.

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>

-----Original Message-----
From: Sidney D'Souza [mailto:mail.sidney_at_gmail.com<mailto:mail.sidney_at_gmail.com>]
Sent: Monday, December 10, 2012 1:22 AM
To: 'Ovais Iqbal'; Brian McGahan
Cc: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: RE: site to site vpn and routing protocol

I added a layer3 hop and the eigrp peering no longer works. Debugging ip packets shows traffic being sent to the multicast address of 224.0.0.10 over fa0/0, but the access-list counters do not increment. So why does it work when directly connected? Good question Ovais :)

Configs In a nutshell
----------------------
R1 (f0/0 10.1.1.1)<------------>R3<------------->(f0/0 192.168.1.2)R2

R1#sh run | s crypto|router|ip route|ip access crypto isakmp policy 1 encr aes authentication pre-share group 2 lifetime 28800

crypto isakmp key cisco address 192.168.1.2

crypto ipsec transform-set R1-2-R2 esp-aes esp-sha-hmac mode transport crypto map R1-2-R2 1 ipsec-isakmp set peer 192.168.1.2 set transform-set R1-2-R2 match address R1-2-R2-ACL crypto map R1-2-R2

router eigrp 1
network 10.1.1.0 0.0.0.255
network 10.120.1.0 0.0.0.255 (loopback created for advertisements through
eigrp)
auto-summary

ip route 192.168.1.0 255.255.255.0 10.1.1.3

ip access-list extended R1-2-R2-ACL
permit ip any any

***************************************
R2#sh run | s crypto|router|ip route|ip access crypto isakmp policy 1 encr aes authentication pre-share group 2 lifetime 28800 crypto isakmp key cisco address 10.1.1.1 crypto ipsec transform-set R2-2-R1 esp-aes esp-sha-hmac mode transport crypto map R2-2-R1 1 ipsec-isakmp set peer 10.1.1.1 set transform-set R2-2-R1 match address R2-2-R1-ACL crypto map R2-2-R1

router eigrp 1
network 10.10.1.0 0.0.0.255 (loopback created for advertisements through
eigrp)
network 10.20.1.0 0.0.0.255 (loopback created for advertisements through
eigrp)
network 192.168.1.0 0.0.0.255
no auto-summary

ip route 10.1.1.0 255.255.255.0 192.168.1.3

ip access-list extended R2-2-R1-ACL
permit ip any any

Regards,
Sid
Nobody's really listening, until you make a mistake...

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of Ovais Iqbal
Sent: 10 December 2012 08:39
To: Brian McGahan
Cc: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: Re: site to site vpn and routing protocol

Dear Brian,

In my case, what you think why eigrp worked over ipsec ? i remember that it didnt use to back 2-3 years ago. I labbed it up myself and protocols wont work in such scenario. If i dont use any tunnel interfaces (which i havent as shown in the configuration) is it possible to shed some light on this behavior ?

________________________________
From: Brian
McGahan <bmcgahan_at_ine.com<mailto:bmcgahan_at_ine.com>>
To: Jay McMickle <jay.mcmickle_at_yahoo.com<mailto:jay.mcmickle_at_yahoo.com>>; Sidney D'Souza <mail.sidney_at_gmail.com<mailto:mail.sidney_at_gmail.com>>
Cc: Adesh Chaudhary
<er.adeshchaudhary_at_gmail.com<mailto:er.adeshchaudhary_at_gmail.com>>; Ovais Iqbal <ovais.iqball_at_yahoo.com<mailto:ovais.iqball_at_yahoo.com>>; "<ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>" <ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
Sent: Monday, December
10, 2012 1:49 AM
Subject: RE: site to site vpn and routing protocol

If you
use an IPsec Virtual Tunnel Interface (VTI) this removes the need for running GRE, but still allows you to run layer 3 routing protocols across the site to site tunnel. It's basically the same as GRE but there is less overhead in the encapsulation. Also the configuration is simpler compared to the traditional crypto map and GRE tunnel interface config:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12
-
4t/sec-ipsec-virt-tunnl.html

There is also a Dynamic VTI that is the
replacement for the Easy VPN dynamic crypto map.

If you're going for CCIE
Security make sure you know all the possible combinations of different tunnels, as this is a huge portion of the exam. Also there are different features that are and are not supported with the different types of tunnels.

For example if you had a question that said "Configure an IPsec tunnel between
R1 and R2 to encrypt only ICMP traffic" which types of tunnels would or would not work and why? Or likewise if the question said "Configure an IPsec tunnel between R1 and R2 that is part of the ZBPF zone INSIDE" which types of tunnels would or not work and why?

HTH,

Brian McGahan, CCIE #8593 (R&S/SP/Security) bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>
-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of Jay McMickle
Sent: Sunday,
December 09, 2012 2:26 PM
To: Sidney D'Souza
Cc: Adesh Chaudhary; Ovais Iqbal;
<ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
Subject: Re: site to site vpn and routing protocol It has to do with directly connected interfaces. Put another layer 3 hop in between them and you'll see that it won't peer through the tunnel without GRE.
Regards,
Jay McMickle- CCIE #35355 (RS)
Sent from my iPhone 5

On Dec 9, 2012,
at 1:45 PM, "Sidney D'Souza" <mail.sidney_at_gmail.com<mailto:mail.sidney_at_gmail.com>> wrote:

> Just labbed it
up and it does set up a neighbour ship. Strange indeed.
>
> Regards,
> Sid
>
Nobody's really listening, until you make a mistake...
>
> -----Original
Message-----
> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On
Behalf
> Of Jay McMickle
> Sent: 09 December 2012 23:05
> To: Adesh Chaudhary
> Cc: Ovais Iqbal; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
> Subject: Re: site to site vpn and
routing protocol
>
> That is a good summary!
>
>
>
> Regards,
> Jay
McMickle- 3x CCNP
> (R&S,Security,Design), CCIE #35355 (R&S)
>
>
> From:
Adesh Chaudhary
> <er.adeshchaudhary_at_gmail.com<mailto:er.adeshchaudhary_at_gmail.com>>
> To: Jay McMickle
<jay.mcmickle_at_yahoo.com<mailto:jay.mcmickle_at_yahoo.com>>
> Cc:
> Ovais Iqbal <ovais.iqball_at_yahoo.com<mailto:ovais.iqball_at_yahoo.com>>;
"ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>"
> <ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
> Sent: Sunday, December
9, 2012 12:01 PM
> Subject: Re:
> site to site vpn and routing protocol
>
>
As I think, IPSEC is mostly deployed
> over Public Internet. IP Subnet is
>
generally different over both sides,
> causing issues with Routing Protocols.
> So GRE over IPSEC is used to address
> this issue. I might be wrong, as I
>
havent dealt much with them.
>
>
> On Sun, Dec
> 9, 2012 at 8:26 PM, Jay
McMickle <jay.mcmickle_at_yahoo.com<mailto:jay.mcmickle_at_yahoo.com>> wrote:
>
>> Can you
> show the output of sh
IP EIGRP neigh?
>>
>> Can you configure the interesting
> traffic for TCP
traffic only in ACL 111?
>> You'll notice that the EIGRP isn't
> getting
encrypted. It's peering outside
>> of
>> the tunnel, and this ACL change
>
will verify for you. Also, when you remove
>> the
>> peer keys and the tunnel
> goes down, do you lose your EIGRP neighbor?
>>
>> Great question, and a
hard one
> to explain.
>>
>> Regards,
>> Jay McMickle- CCIE #35355 (RS)
>>
Sent from my
> iPhone 5
>>
>> On Dec 9, 2012, at 8:10 AM, Ovais Iqbal
<ovais.iqball_at_yahoo.com<mailto:ovais.iqball_at_yahoo.com>>
> wrote:
>>
>>> I will share the topology here,
>
----------R1(10.0.0.1)(Fasteth0/0)---------------------------------(Fa
>
steth0
> /
>> 0)(10.0.0.2)R2----------
>>>
>>> R1 and R2 are connected back
to back over
> Fas0/0. Routers are 1841
>> running
>> 12.4 adv security. I
configured following
> on R1 and replica to R2 (which i
>> wont show since it
will be just a
> repetition)
>>>
>>> R1
>>> crypto isakmp key 0 cisco address
10.0.0.2
> crypto isakmp policy 1
>>> auth pre-share
>>> encry des
>>> hash
md5
> group 2
>>>
>>> access-list 111 permit ip any any
>>>
>>> crypto ipsec
> transform-set R1toR2 esp-des esp-md5-hmac
>>> crypto map R1toR2 10
>
ipsec-isakmp
>>> match address 111
>>> set peer 10.0.0.2
>>> set
>
transform-set R1toR2
>>>
>>> interface Fastethernet 0/0
>>> ip address
>
10.0.0.1 255.255.255.0
>>> crypto map R1toR2
>>>
>>> router eigrp 1
>>> no
>
auto
>>> network 10.0.0.0 0.0.0.255
>>>
>>> Now eigrp successfully forms the
> neighborship, i can see the packets
>> being
>> encrypted/decrypted while
there
> is no other communication then eigrp. This
>> is
>> surprising for me
since i
> remembered for sure that protocols didnt work
>> over
>> ipsec since
ipsec has
> issues with multicast packets.
>>>
>>> From: Jay McMickle
>
<jay.mcmickle_at_yahoo.com<mailto:jay.mcmickle_at_yahoo.com>>
>>> To: Ovais Iqbal <ovais.iqball_at_yahoo.com<mailto:ovais.iqball_at_yahoo.com>>
> Sent:
Sunday, December 9, 2012 6:55 PM
>>> Subject: Re: site to site vpn and
>
routing protocol
>>>
>>> You'll have to see how that's happening. Most likely
> the peering is
>> going a
>> different direction that you think (not over
the
> tunnel). Type "show IP
>> EIGRP
>> neigh or OSPF neigh" and see what IP
address
> and what route it's taking to
>> get
>> there.
>>>
>>> Regards,
>>>
Jay
> McMickle- CCIE #35355 (RS)
>>> Sent from my iPhone 5
>>>
>>> On Dec 9,
2012,
> at 7:52 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com<mailto:ovais.iqball_at_yahoo.com>> wrote:
>>>
>>>> No
there are
> no tunnel interfaces thats why i am surprised that why
>>
eigrp/ospf are able
> to run over ipsec ?
>>>>
>>>> From: Jay McMickle
<jay.mcmickle_at_yahoo.com<mailto:jay.mcmickle_at_yahoo.com>>
> To: Ovais Iqbal <ovais.iqball_at_yahoo.com<mailto:ovais.iqball_at_yahoo.com>>
>>>> Cc:
"ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>"
> <ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
>>>> Sent: Sunday,
December 9, 2012 6:01 PM
> Subject: Re: site to site vpn and routing protocol
>>>>
>>>> All you need is a
> L3 interface on each end for the adjacencies.
That's
>> why
>> GRE over IPSEC
> enables dynamic protocols.
>>>>
>>>> If you
are peering over IPSEC, what L3
> interfaces is it using? Is it
>> going
>>
over the tunnel for the peering?
>>>>
>>>> Regards,
>>>> Jay McMickle- CCIE
#35355 (RS)
>>>> Sent from my iPhone 5
>>
>>>
>>>> On Dec 9, 2012, at 3:35
AM, Ovais Iqbal <ovais.iqball_at_yahoo.com<mailto:ovais.iqball_at_yahoo.com>>
> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>>
>>>>> I was under the impression
> that if i have 2 routers connected
back to
>> back and i run ipsec over it,
> routing protocols wont work. That
was the
>> main
>> reason we use GRE. But now
> when i reconfigured it on GNS3
and on real
>> routers
>> (1841), i saw that
> neighbor adjcancies are working
fine for all protocols.
>> So
>> its a bit
> surprising for me
>>>>>
>>>>>
>>>>> Blogs and organic groups at
> http://www.ccie.net<http://www.ccie.net/>
>
Received on Wed Dec 12 2012 - 13:07:38 ART