02-14-2013 05:08 AM - edited 03-04-2019 07:01 PM
Hi all
I have seen on my router the following config, I see the tunnel is in transport mode, what exactly is this config doing? because all I can see in the address matches for the vpn tunnel is the endpoint of the tunnel, will this encrypt all traffic flowing these tunnels ?
its using ospf over the tunnel for routing.
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key test address 2.2.2.0 255.255.255.0
!
!
crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac
mode transport
!
crypto map VPN 20 ipsec-isakmp
set peer 2.2.2.2
set security-association lifetime seconds 86400
set transform-set aes
match address vpn
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
bandwidth 8000
ip address 2.2.2.1 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
ip ospf message-digest-key 7 md5 <removed>
qos pre-classify
tunnel source Loopback1
tunnel dest 2.2.2.2
crypto map VPN
ip access-list extended vpn
permit gre host 1.1.1.1 host 2.2.2.2
02-14-2013 05:18 AM
Transport-mode can be used if the device that generates the traffic is also the device that protects the traffic. That is the case here:
1) A packet from your internal network is routed into the tunnel because the destination is learned through OSPF.
2) The Router encapsulates the packet with GRE and adds a new tunnel-header (source 1.1.1.1, dest 2.2.2.2).
3) The outside interface will protect the GRE-packet with your crypto. No new IP-header will be inserted, the header which was added by GRE is used as the outer header.
BTW: The "crypto map VPN" is typically not needed on the tunnel-interface, only on the outgoing interface.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
02-14-2013 05:31 AM
So is this encrypting the tunnel or each packet that flows through the tunnel individually ?
how come I dont need to match all this traffic on the crypto access list and only the end ip's ?
is this actually working then ?
cheers
02-14-2013 05:47 AM
each packet that flows through the tunnel gets encrypted individually. You don't need to match the actual traffic as the crypto-map only sees the the GRE-packets from 1.1.1.1 to 2.2.2.2. These are protected with IPsec.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
02-14-2013 05:56 AM
so is the config correct?
also would I need to do anything different if it was in tunnel mode? why would they have used transport mode here ?
02-14-2013 06:03 AM
That should be fine. When you issue the command "show crypto ipsec sa" you should see packets encrypted and decrypted.
You also could use tunnel-mode here but you would waste possible payload as you get an additional IP-header (one would be inserted from GRE and another one withn the same addresses from IPSec).
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide