10-13-2016 02:53 PM - edited 03-08-2019 07:47 AM
Hi Friends,
In one of the project in our company i had to add IPsec over the GRE tunnels for security.
However doing so prevented DECnet from working over these links!
Does DECnet work over the "GRE over IPsec" tunnel ?
If yes could you please explain how to fix it ?
When i do a DECnet ping i get the following log message:
Here is a copy of the configuration:
R1#
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 5
!
crypto isakmp key IPSEC_PSK address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set ESP-AES-128-SHA
!
interface Tunnel2
ip address 10.11.12.1 255.255.255.0
decnet cost 10
tunnel source Serial0/0/0
tunnel destination 10.12.12.2
ip mtu 1400
ip tcp adjust-mss 1360
tunnel protection ipsec profile IPSEC_PROFILE
no shutdown
!
R2#
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 5
!
crypto isakmp key IPSEC_PSK address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set ESP-AES-128-SHA
!
interface Tunnel2
ip address 10.11.12.2 255.255.255.0
decnet cost 10
tunnel source Serial0/0/0
tunnel destination 10.12.12.1
ip mtu 1400
ip tcp adjust-mss 1360
tunnel protection ipsec profile IPSEC_PROFILE
no shutdown
!
Thanks Friends
Solved! Go to Solution.
10-20-2016 08:34 AM
It might look something like this
crypto map DECnetmap 10 ipsec-isakmp
set peer a.b.c.d
set transform-set ESP-AES-128-SHA
match address 151
access-list 151 permit ip host <IP_of_tunnel_source> host <IP_of_tunnel_destination>
int serial 0/0/0
crypto map DECnetmap
HTH
Rick
10-14-2016 12:59 AM
Hello,
I don't know if this is even possible. Have you considered bridging DEC instead ?
10-14-2016 07:40 AM
Hi gpauwen,
I did used bridged DECnet in other scenario however i don't think it can be applied here!
Thanks
10-14-2016 09:28 AM
What you are doing with the tunnel protection profile is Virtual Tunnel Interface. While VTI is quite similar to GRE it is not quite the same thing. If there were a real GRE tunnel I believe that you might be able to transport DECnet through the tunnel and encrypt it.
HTH
Rick
10-14-2016 09:35 AM
Hi Richard,
I didn't quiet understand you, could you please explain or give me an example?
Thanks
10-14-2016 11:06 AM
The title of your post indicates that you think of this tunnel as GRE. But it is not a GRE tunnel. It is a tunnel of course. But using the tunnel protection profile changes the tunnel from being GRE to being VTI. The difference is subtle but in this case it is important.
There are several differences between a GRE tunnel and a VTI tunnel. The most obvious difference is that a GRE tunnel uses a crypto map to identify traffic to be protected. And the crypto map uses an access list which typically would look like permit ip host <ip_of_tunnel_source> host <ip_of_tunnel_destination>. A VTI tunnel does not use a crypto map and would not have an access list like that. Apparently another difference between GRE tunnel and VTI tunnel is that while a GRE tunnel should encrypt all of the traffic using the tunnel it looks like the VTI encrypts only the IP traffic.
You might change your config to use actual GRE configuration. Do not use the tunnel protection profile on the tunnel, configure an access list to permit any traffic from the tunnel source address to the tunnel destination address, configure a crypto map to use the access list, and apply the crypto map to the interface that is the source for the tunnel.
HTH
Rick
10-19-2016 08:57 AM
Hi Richard,
So i have read your replay multiple times to understand it and i think i finally did .. however i don't know how to configure a crypto map to use ACL so i am googling it right now.
Thanks
10-20-2016 08:34 AM
It might look something like this
crypto map DECnetmap 10 ipsec-isakmp
set peer a.b.c.d
set transform-set ESP-AES-128-SHA
match address 151
access-list 151 permit ip host <IP_of_tunnel_source> host <IP_of_tunnel_destination>
int serial 0/0/0
crypto map DECnetmap
HTH
Rick
10-20-2016 08:43 AM
Hi Richard,
I found this page which describe "Crypto map based IPsec VPN fundamentals"
I wasn't 100% sure that this is what you were referring to but according to your last comment it seems this is it.
I will try it and let you know if DECnet is working (hopefully no one pull me to another job to finish this)
Thanks a lot
10-20-2016 09:07 AM
Yes that link is discussing crypto map as I was indicating. You might find this link helpful and is more specifically oriented to crypto map to use with GRE tunnel.
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/9221-quicktip.html
HTH
Rick
10-20-2016 03:14 PM
Thanks a LOT Richard,
The configuration is working correctly and DECnet have been encrypted successfully over the tunnel in the LAB and tomorrow i will try update one of the sites to see if it's going to work before applying the updates to all the other sites.
The Lab:
HostA-->R1,Gi0/1--R1,Gi0/0-->SW1-->R2,Gi0/0--R2,Gi0/1-->HostB
I have connected a switch between R1 and R2 to monitor the traffic using SPAN and DECnet is indeed passing through the Tunnel and getting encrypted.
Thanks guys
10-20-2016 06:32 PM
Thanks for the update. If it is working ok in the lab then I am confident that it will work ok in production (assuming no careless config errors and no code version/license issues).
There is an interesting aspect to this discussion. In general using VTI (with tunnel protection profile) is considered preferable to the older solution of GRE tunnel with IPsec. But in your particular use case the GRE tunnel is what you needed.
HTH
Rick
10-24-2016 01:26 PM
Rick,
I have successfully updated the tunnel encryption on routers in the field and everything is working as expected.
Thanks for your help
Best Regards
10-24-2016 01:26 PM
Thanks for posting back to the forum and letting us know that you have implemented this on routers in production and that it is working. I am glad that our suggestions helped you to find a solution to your problem.
HTH
Rick
10-14-2016 11:34 AM
Hello,
I have been looking at routing DECnet over ISL. I have no way to lab and test this, so it is something you have to try. Basically, you create a subinterface on one of your Ethernet interfaces and encapsulate it with ISL You then configure the DECnet cost. The config would look like this:
interface FastEthernet0.100
encapsulation isl 10 --> 10 is the VLAN your DECnet traffic uses
decnet cost 10
Then, in your tunnel, you specify the subinterface as your tunnel source.
interface Tunnel2
ip address 10.11.12.1 255.255.255.0
decnet cost 10
tunnel source FastEthernet0.100
tunnel destination 10.12.12.2
ip mtu 1400
ip tcp adjust-mss 1360
tunnel protection ipsec profile IPSEC_PROFILE
no shutdown
As stated, I don't know if this works, but give it a try.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide