04-14-2008 08:05 AM - edited 02-21-2020 03:40 PM
Hi all,
I have 2 routers connected and trying to make teh GRE come up over IPSEC, and i think my issue is lying with the ACL.
They are running old versions of IOS, and as such i need to have the crypto map on both the tunnel and physical interfaces.
I have tried 2 different ACL's.
ACL 100 - is an any any "catch all" list.
ACL 101 - is the typical GRE host to host list.
What i expect is that ALL traffic will be encrypted over this link.
Do I have the wrong impression? Maybe this is my issue.
When IPSEC is deployed on its own, everything is encrypted.
ACL 100 - What i see are :-
OSPF is not encrypted
PING's between the physical interfaces are encrypted and get through fine
PING's between the tunnel interfaces do not get through and are not answered
CHANGE to ACL 101
OSPF is not encrypted
PING's between the physical interfaces are not encrypted and get through fine
PING's between the tunnel interfaces are encrypted and get through fine
Config enclosed of the 2 routers.
It may be my expectation that everything would be encrypted.
Or else its my ACL.
The ACL is supposed to tell the router what traffic is to be encrypted. That is why i cannot see how the host to host GRE ACL would work for anything other than tunnel to tunnel traffic.
Appreciate any feedback.
04-24-2008 01:17 PM
ACL 101 (access-list 101 permit gre host 10.1.1.1 host 10.1.1.2) is appropriate, and should result in the encapsulation (GRE and then IPSec) of site-to-site traffic routed through the tunnel interface.
Your Ethernet0 interfaces have not been rendered passive (passive-interface Ethernet0) in your OSPF config. I would not expect these OSPF packets to be encapsulated. Are your routers not then receiving topology information from both paths (via the tunnel and Ethernet0 interfaces)?
I think you should render Ethernet0 interfaces as passive so that routing info only comes through the IPSec + GRE tunnel.
Seeing the routing tables would be more beneficial than the "sh ip ospf neighbor" output.
Other than the application of the crypto map on the tunnel interface, the non-passive OSPF status of the Ethernet0 interfaces, and the fact that I am using an ESP transform in "Transport Mode", your config is much like my own.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide