Solved: The title of your post

TheDukeofBaghdad · ‎10-13-2016

Hi Friends,

In one of the project in our company i had to add IPsec over the GRE tunnels for security.

However doing so prevented DECnet from working over these links!

Does DECnet work over the "GRE over IPsec" tunnel ?

If yes could you please explain how to fix it ?

When i do a DECnet ping i get the following log message:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.12.12.2, src_addr= 10.12.12.1, prot= 47

Here is a copy of the configuration:

R1#

!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 5
!
crypto isakmp key IPSEC_PSK address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set ESP-AES-128-SHA
!
interface Tunnel2
ip address 10.11.12.1 255.255.255.0
decnet cost 10
tunnel source Serial0/0/0
tunnel destination 10.12.12.2
ip mtu 1400
ip tcp adjust-mss 1360
tunnel protection ipsec profile IPSEC_PROFILE
no shutdown
!

R2#

!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 5
!
crypto isakmp key IPSEC_PSK address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set ESP-AES-128-SHA
!
interface Tunnel2
ip address 10.11.12.2 255.255.255.0
decnet cost 10
tunnel source Serial0/0/0
tunnel destination 10.12.12.1
ip mtu 1400
ip tcp adjust-mss 1360
tunnel protection ipsec profile IPSEC_PROFILE
no shutdown
!

Thanks Friends

Richard Burts · ‎10-20-2016

It might look something like this

crypto map DECnetmap 10 ipsec-isakmp
set peer a.b.c.d
set transform-set ESP-AES-128-SHA
match address 151

access-list 151 permit ip host <IP_of_tunnel_source> host <IP_of_tunnel_destination>

int serial 0/0/0

crypto map DECnetmap

HTH

Rick

HTH

Rick

View solution in original post

Georg Pauwen · ‎10-14-2016

Hello,

I don't know if this is even possible. Have you considered bridging DEC instead ?

TheDukeofBaghdad · ‎10-14-2016

Hi gpauwen,

I did used bridged DECnet in other scenario however i don't think it can be applied here!

Thanks

Richard Burts · ‎10-14-2016

What you are doing with the tunnel protection profile is Virtual Tunnel Interface. While VTI is quite similar to GRE it is not quite the same thing. If there were a real GRE tunnel I believe that you might be able to transport DECnet through the tunnel and encrypt it.

HTH

Rick

HTH

Rick

TheDukeofBaghdad · ‎10-14-2016

Hi Richard,

I didn't quiet understand you, could you please explain or give me an example?

Thanks

Richard Burts · ‎10-14-2016

The title of your post indicates that you think of this tunnel as GRE. But it is not a GRE tunnel. It is a tunnel of course. But using the tunnel protection profile changes the tunnel from being GRE to being VTI. The difference is subtle but in this case it is important.

There are several differences between a GRE tunnel and a VTI tunnel. The most obvious difference is that a GRE tunnel uses a crypto map to identify traffic to be protected. And the crypto map uses an access list which typically would look like permit ip host <ip_of_tunnel_source> host <ip_of_tunnel_destination>. A VTI tunnel does not use a crypto map and would not have an access list like that. Apparently another difference between GRE tunnel and VTI tunnel is that while a GRE tunnel should encrypt all of the traffic using the tunnel it looks like the VTI encrypts only the IP traffic.

You might change your config to use actual GRE configuration. Do not use the tunnel protection profile on the tunnel, configure an access list to permit any traffic from the tunnel source address to the tunnel destination address, configure a crypto map to use the access list, and apply the crypto map to the interface that is the source for the tunnel.

HTH

Rick

HTH

Rick

TheDukeofBaghdad · ‎10-19-2016

Hi Richard,

So i have read your replay multiple times to understand it and i think i finally did .. however i don't know how to configure a crypto map to use ACL so i am googling it right now.

Thanks

Richard Burts · ‎10-20-2016

It might look something like this

crypto map DECnetmap 10 ipsec-isakmp
set peer a.b.c.d
set transform-set ESP-AES-128-SHA
match address 151

access-list 151 permit ip host <IP_of_tunnel_source> host <IP_of_tunnel_destination>

int serial 0/0/0

crypto map DECnetmap

HTH

Rick

HTH

Rick

TheDukeofBaghdad · ‎10-20-2016

Hi Richard,

I found this page which describe "Crypto map based IPsec VPN fundamentals"

I wasn't 100% sure that this is what you were referring to but according to your last comment it seems this is it.

I will try it and let you know if DECnet is working (hopefully no one pull me to another job to finish this)

Thanks a lot

Richard Burts · ‎10-20-2016

Yes that link is discussing crypto map as I was indicating. You might find this link helpful and is more specifically oriented to crypto map to use with GRE tunnel.

http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/9221-quicktip.html

HTH

Rick

HTH

Rick

TheDukeofBaghdad · ‎10-20-2016

Thanks a LOT Richard,

The configuration is working correctly and DECnet have been encrypted successfully over the tunnel in the LAB and tomorrow i will try update one of the sites to see if it's going to work before applying the updates to all the other sites.

The Lab:

HostA-->R1,Gi0/1--R1,Gi0/0-->SW1-->R2,Gi0/0--R2,Gi0/1-->HostB

I have connected a switch between R1 and R2 to monitor the traffic using SPAN and DECnet is indeed passing through the Tunnel and getting encrypted.

Thanks guys

Richard Burts · ‎10-20-2016

Thanks for the update. If it is working ok in the lab then I am confident that it will work ok in production (assuming no careless config errors and no code version/license issues).

There is an interesting aspect to this discussion. In general using VTI (with tunnel protection profile) is considered preferable to the older solution of GRE tunnel with IPsec. But in your particular use case the GRE tunnel is what you needed.

HTH

Rick

HTH

Rick

TheDukeofBaghdad · ‎10-24-2016

Rick,

I have successfully updated the tunnel encryption on routers in the field and everything is working as expected.

Thanks for your help

Best Regards

Richard Burts · ‎10-24-2016

Thanks for posting back to the forum and letting us know that you have implemented this on routers in production and that it is working. I am glad that our suggestions helped you to find a solution to your problem.

HTH

Rick

HTH

Rick

Georg Pauwen · ‎10-14-2016

Hello,

I have been looking at routing DECnet over ISL. I have no way to lab and test this, so it is something you have to try. Basically, you create a subinterface on one of your Ethernet interfaces and encapsulate it with ISL You then configure the DECnet cost. The config would look like this:

interface FastEthernet0.100
encapsulation isl 10 --> 10 is the VLAN your DECnet traffic uses
decnet cost 10

Then, in your tunnel, you specify the subinterface as your tunnel source.

interface Tunnel2
ip address 10.11.12.1 255.255.255.0
decnet cost 10
tunnel source FastEthernet0.100
tunnel destination 10.12.12.2
ip mtu 1400
ip tcp adjust-mss 1360
tunnel protection ipsec profile IPSEC_PROFILE
no shutdown

As stated, I don't know if this works, but give it a try.

DECnet over "GRE over IPsec"!

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.12.12.2, src_addr= 10.12.12.1, prot= 47