cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
432
Views
0
Helpful
1
Replies

GRE IPSEC ACL's

fgleeson
Level 1
Level 1

Hi all,

I have 2 routers connected and trying to make teh GRE come up over IPSEC, and i think my issue is lying with the ACL.

They are running old versions of IOS, and as such i need to have the crypto map on both the tunnel and physical interfaces.

I have tried 2 different ACL's.

ACL 100 - is an any any "catch all" list.

ACL 101 - is the typical GRE host to host list.

What i expect is that ALL traffic will be encrypted over this link.

Do I have the wrong impression? Maybe this is my issue.

When IPSEC is deployed on its own, everything is encrypted.

ACL 100 - What i see are :-

OSPF is not encrypted

PING's between the physical interfaces are encrypted and get through fine

PING's between the tunnel interfaces do not get through and are not answered

CHANGE to ACL 101

OSPF is not encrypted

PING's between the physical interfaces are not encrypted and get through fine

PING's between the tunnel interfaces are encrypted and get through fine

Config enclosed of the 2 routers.

It may be my expectation that everything would be encrypted.

Or else its my ACL.

The ACL is supposed to tell the router what traffic is to be encrypted. That is why i cannot see how the host to host GRE ACL would work for anything other than tunnel to tunnel traffic.

Appreciate any feedback.

1 Reply 1

michael.leblanc
Level 4
Level 4

ACL 101 (access-list 101 permit gre host 10.1.1.1 host 10.1.1.2) is appropriate, and should result in the encapsulation (GRE and then IPSec) of site-to-site traffic routed through the tunnel interface.

Your Ethernet0 interfaces have not been rendered passive (passive-interface Ethernet0) in your OSPF config. I would not expect these OSPF packets to be encapsulated. Are your routers not then receiving topology information from both paths (via the tunnel and Ethernet0 interfaces)?

I think you should render Ethernet0 interfaces as passive so that routing info only comes through the IPSec + GRE tunnel.

Seeing the routing tables would be more beneficial than the "sh ip ospf neighbor" output.

Other than the application of the crypto map on the tunnel interface, the non-passive OSPF status of the Ethernet0 interfaces, and the fact that I am using an ESP transform in "Transport Mode", your config is much like my own.