Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
5
Replies

tunnel with transport mode

carl_townshend
Spotlight
Spotlight

‎02-14-2013 05:08 AM - edited ‎03-04-2019 07:01 PM

Hi all

I have seen on my router the following config, I see the tunnel is in transport mode, what exactly is this config doing? because all I can see in the address matches for the vpn tunnel is the endpoint of the tunnel, will this encrypt all traffic flowing these tunnels ?

its using ospf over the tunnel for routing.

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key test address 2.2.2.0 255.255.255.0

!

!

crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac

mode transport

!

crypto map VPN 20 ipsec-isakmp

set peer 2.2.2.2

set security-association lifetime seconds 86400

set transform-set aes

match address vpn

!

interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
bandwidth 8000
ip address 2.2.2.1 255.255.255.0
  no ip redirects
ip mtu 1400
ip flow ingress
ip ospf message-digest-key 7 md5 <removed>
qos pre-classify
tunnel source Loopback1
tunnel dest 2.2.2.2

crypto map VPN

ip access-list extended vpn
permit gre host 1.1.1.1 host 2.2.2.2

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎02-14-2013 05:18 AM

Transport-mode can be used if the device that generates the traffic is also the device that protects the traffic. That is the case here:

1) A packet from your internal network is routed into the tunnel because the destination is learned through OSPF.

2) The Router encapsulates the packet with GRE and adds a new tunnel-header (source 1.1.1.1, dest 2.2.2.2).

3) The outside interface will protect the GRE-packet with your crypto. No new IP-header will be inserted, the header which was added by GRE is used as the outer header.

BTW: The "crypto map VPN" is typically not needed on the tunnel-interface, only on the outgoing interface.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to Karsten Iwen

‎02-14-2013 05:31 AM

So is this encrypting the tunnel or each packet that flows through the tunnel individually ?

how come I dont need to match all this traffic on the crypto access list and only the end ip's ?

is this actually working then ?

cheers

0 Helpful

Karsten Iwen
VIP
VIP
In response to carl_townshend

‎02-14-2013 05:47 AM

each packet that flows through the tunnel gets encrypted individually. You don't need to match the actual traffic as the crypto-map only sees the the GRE-packets from 1.1.1.1 to 2.2.2.2. These are protected with IPsec.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to Karsten Iwen

‎02-14-2013 05:56 AM

so is the config correct?

also would I need to do anything different if it was in tunnel mode? why would they have used transport mode here ?

0 Helpful

Karsten Iwen
VIP
VIP
In response to carl_townshend

‎02-14-2013 06:03 AM

That should be fine. When you issue the command "show crypto ipsec sa" you should see packets encrypted and decrypted.

You also could use tunnel-mode here but you would waste possible payload as you get an additional IP-header (one would be inserted from GRE and another one withn the same addresses from IPSec).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card