03-30-2015 12:47 PM
Hi everyone,
I have a question about Cisco Packet Processing Sequence given below.
Inside-to-Outside (LAN to WAN)
Let's suppose we have 3 routers, A, B and C. Router A encrypts the IPSec traffic and sends to router C. Now lets examine the packet processing sequence above with regards to router B. When the traffic arrives at router B from router A, by the above sequence, router B will check for IPSec input access list and then decrypt the traffic. Why would router B decrypt the traffic and then encrypt is again before sending it out when the traffic is actually meant to go to router C?
I am sure I am missing a very simple point here. Could someone please explain?
Thanks,
H
Solved! Go to Solution.
03-30-2015 01:39 PM
Why does router A have to decrypt that traffic?
It doesn't.
Notice the first step says "if IPSEC .."
But the traffic coming in from the inside to router A is not IPSEC ie. it is plaintext traffic. So it does not match and the decryption step is skipped.
If you notice further down in the list just after NAT it then checks the crypto map and if the unencrypted traffic matches then it does a few other steps and then encrypts the traffic and sends it down the tunnel.
Jon
03-30-2015 01:05 PM
Firstly your order is inside to outside and when router B receives it the traffic will be from outside to inside (presumably) and that is a different order.
But even if it wasn't its not clear what you mean by traffic is meant for router C.
If the IPSEC tunnel is established between router A and router C then router B won't have any crypto configuration so that step would be bypassed.
It would simply forward the traffic to router C.
The order of operations doesn't mean every step is applied on every router. It depends on what configuration you have on the router.
So no IPSEC configuration on router B means no IPSEC processing.
Jon
03-30-2015 01:17 PM
OK - Thanks.
One more question. Let's take the first two steps of the process.
Assuming traffic going from router A to C.
Why would router A see traffic as IPSec, is it not supposed to build the tunnel up first?
OK let's assume the packet comes in when the IPSec tunnel is already up between router A and C then why step 2? Why does router A have to decrypt that traffic?
03-30-2015 01:39 PM
Why does router A have to decrypt that traffic?
It doesn't.
Notice the first step says "if IPSEC .."
But the traffic coming in from the inside to router A is not IPSEC ie. it is plaintext traffic. So it does not match and the decryption step is skipped.
If you notice further down in the list just after NAT it then checks the crypto map and if the unencrypted traffic matches then it does a few other steps and then encrypts the traffic and sends it down the tunnel.
Jon
03-30-2015 01:55 PM
OK. Makes perfect sense now.
Thanks!
03-30-2015 02:16 PM
It should be mentioned that this OOO-table is pretty much outdated and not valid any more for actual IOS-versions. Especially the ACL-check for IPsec-packets was removed in 12.3T, that was nearly a decade ago.
03-31-2015 12:16 AM
Hi Karsten,
Could you please point me to the latest OOO-table?
Thanks,
H
03-31-2015 01:12 AM
I'm not aware of any updated table on cisco.com, but a quick internet-search gives the following blog-post on etherealmind.com: http://etherealmind.com/cisco-ios-order-of-operation/
03-31-2015 01:33 AM
Thank you so much!!!!
H
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide