Re: Basic IPsec VPN tunnel

If you want a particular src and dst address to talk to one another over
an IPSec tunnel, those SRC and DST addresses have to be allowed in the ACL
of the IPSec to trigger the phase1 phase2 negotiations, based on your
IPSEC ACL you are only allowing 1.1.1.1 to 3.3.3.3 over tcp telnet, not
ICMP . ICMP is it's own protocol.

If you're using Tunnel Mode, yes your Private Addresses are hidden and you
will rely on the normal routing process, so as long as your peering IP's
can reach each other you are ok. Your private network doesn't need and
shan't be advertised to the 23.0.0.0 or 12.0.0.0 cloud segments.

R1 will need to know how to reach it's peer addresses, if that peer
address is 23.x.x.x/24 then yes, it will need to be able to reach it.

Also remember, if you are pinging from a device that is on the router that
you are generating the IPSEC tunnel from, then this will probable not
work, you need to source your pings from the interesting traffic IP's.

On 5/9/13 11:23 PM, "Mohammad Mousa" <mohd-mousa_at_hotmail.com> wrote:

>I tried the lab again. I changed the ACL as follow on R1 and R3
>
> 12.0.0.0/24 23.0.0.0/24
>R1----------------------R2----------------------R3
>
>access-list 100 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255 and the
>opposite source and destination on the other router. I triggered the
>IPsec tunnel with a data plane traffic (ICMP ping sourcing it from the
>loopback, it worked fine) I checked that with #show cryp isa sa, and #sh
>cyrp IPsec sa. Everything was cool!
>
>Now, here is my question: on all routers my eigrp configs were enabled
>the eigrp process on all the interfaces by network 0.0.0.0
>255.255.255.255. When I'm no longer advertised the loopbacks on the
>EIGRP, the IPsec still was up and running but the ICMP pings didn't work.
>
>My understanding (NA/ Level) for the IPSec in tunnel mode (ESP
>encapsulate with new IP header and trailer). New header is the PUBLIC IP
>and orginal header is the PRIVATE IP!
>
>So I don't need routes for my internal network (private network) at the
>edge routers. I mean suppose 1.1.1.1 and 3.3.3.3 are private IP addresses
>and 12.0.0.1 and 23.0.0.0 are Public IP addresses. R1 & R3 do not need
>routes for 1.1.1.1 & 3.3.3.3 networks.
>
>R1- should know how to reach 23.0.0.0/24 network & R3- should know how to
>reach 12.0.0.0/24 network!
>
>Am I correct? Why the pings stopped working? Any ideas?
>
>
>Thanks,
>Mohammad Mousa
>CCIE #36990
>
>
>
>
>
>
>
>
>
>> Date: Wed, 8 May 2013 10:46:21 -0700
>> From: jay.mcmickle_at_yahoo.com
>> Subject: Re: Basic IPsec VPN tunnel
>> To: mohd-mousa_at_hotmail.com; marcabel_at_gmail.com
>> CC: ccielab_at_groupstudy.com
>>
>> Your ACL is interesting- a host specific IP but with a /24 subnet mask.
>> The
>> router should have converted that for you- what was the actual output?
>>
>> What
>> did you get out of the debugs?
>> debug cry con peer ip
>> conf t
>> logging con debug
>> exit
>> debug cry isa
>> debug cry ips (if isakmp is coming up)
>>
>> What is in between
>> these devices? A router or a L3 device? Any natting occuring?
>>
>> The proof
>> will be in your debugs. If you see it coming up, you're hitting the
>> interesting traffic. The debugs will tell you why, and possibly, the
>>lack of
>> debug on the other side could be an indicator.
>>
>> Let the group know what you
>> find.
>>
>>
>> Regards,
>> Jay McMickle- 2x CCIE #35355 (R&S,Sec)
>>
>> ________________________________
>> From: Mohammad Mousa
>> <mohd-mousa_at_hotmail.com>
>> To: marc abel <marcabel_at_gmail.com>
>> Cc:
>> "ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
>> Sent: Monday, May 6, 2013
>> 11:16 PM
>> Subject: RE: Basic IPsec VPN tunnel
>>
>>
>> Marc,
>>
>> I've started recently
>> studying for the NA security. I was
>> playing with the IPsec tunnel. This is
>> for leaning purpose, it is not a
>> real deployment. Though, I did configure
>> everything, the tunnel didn't
>> go up.
>>
>> Any thoughts?
>>
>> Thanks,
>>
>> --
>>
>> Mohammad
>> Mousa
>> CCIE #36990
>>
>> > Date: Mon, 6 May 2013 23:06:14 -0500
>> > Subject: Re: Basic
>> IPsec VPN tunnel
>> > From: marcabel_at_gmail.com
>> > To: mohd-mousa_at_hotmail.com
>> > CC:
>> ccielab_at_groupstudy.com
>> >
>> > For troubleshooting purposes I would try
>> broadening your access-list to
>> > include all traffic too and from your hosts.
>> I've never done a vpn for only
>> > one type (port of traffic) as you are
>> specifying. Are you sourcing your
>> > telnet from the loopback? Otherwise you
>> aren't going to generate any
>> > interesting traffic to initiate the tunnel.
>> >
>> >
>> > On Mon, May 6, 2013 at 9:31 PM, Mohammad Mousa
>> <mohd-mousa_at_hotmail.com>wrote:
>> >
>> > > Hi Folks,
>> > >
>> > > I stuck in this while
>> I've been practicing basic IPsec VPN tunnel on GNS3.
>> > > I've got this
>> scenario. I have EIGRP up and running between all routers.
>> > > Connectivity
>> has been established between R1& R3.
>> > >
>> > >
>> R1(f0/0)------------R2-----------(f0/1)R3
>> > >
>> > > Here is my configs:
>> > >
>> > >
>> R1
>> > > ---
>> > >
>> > > Phase 1 attributes:
>> > >
>> > > crypto isakmp policy 1
>> > > encr
>> aes
>> > > hash md5
>> > > authentication pre-share
>> > > lifetime 3600
>> > > crypto
>> isakmp key CISCO address 23.0.0.3 255.255.255.0
>> > >
>> > > Phase 2:
>> > >
>> > >
>> crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
>> > > crypto map MYSET 1
>> ipsec-isakmp
>> > > set peer 23.0.0.3
>> > > set transform-set MYSET
>> > > match
>> address 100
>> > >
>> > > access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1
>> 0.0.0.255 eq telnet
>> > >
>> > > int f0/0
>> > > crypto map MYSET
>> > >
>> > > R3
>> > > ---
>> >
>> >
>> > > Phase 1 attributes:
>> > >
>> > > crypto isakmp policy 1
>> > > encr aes
>> > > hash
>> md5
>> > > authentication pre-share
>> > > lifetime 3600
>> > > crypto isakmp key CISCO
>> address 12.0.0.1 255.255.255.0
>> > >
>> > > Phase 2:
>> > >
>> > > crypto ipsec
>> transform-set MYSET esp-aes esp-md5-hmac
>> > > crypto map MYSET 1 ipsec-isakmp
>> >
>> > set peer 12.0.0.1
>> > > set transform-set MYSET
>> > > match address 100
>> > >
>> > >
>> access-list 100 permit tcp 3.3.3.3 0.0.0.255 1.1.1.1 0.0.0.255 eq telnet
>> > >
>> >
>> > int f0/1
>> > > crypto map MYSET
>> > >
>> > >
>> > > Any thoughts and advices will be
>> highly appreciated!
>> > >
>> > > Thanks in advance
>> > >
>> > > --
>> > >
>> > > Mohammad
>> Mousa
>> > > CCIE #36990
>> > >
>> > >
>> > > Blogs and organic groups at
>> http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > >
>> Subscription information may be found at:
>> > >
>> http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> > --
>> > Marc Abel
>> > CCIE #35470
>> > (Routing and Switching)
>> >
>> >
>> > Blogs and
>> organic groups at http://www.ccie.net
>> >
>> >
>> _______________________________________________________________________
>> >
>> Subscription information may be found at:
>> >
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at
>> http://www.ccie.net
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
>Blogs and organic groups at http://www.ccie.net
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri May 10 2013 - 07:15:55 ART