Hi

johng231 · ‎06-24-2016

Hi all,

Using the ZBFW policies on a Cisco router running IOS-XE software, you have to permit the ISKAMP UDP 500 on the self-to-outside & outside-to-self zone pair in order to originate and receive the VPN traffic. My question is why do I have to specify the "GRE" protocol as part of this ACL on the head-end router when the branch side is allowing it without me specifying in the SELF ACL policies? If I don't specify the GRE protocol on the head-end, I don't see packets being encrypted.

I've attached the head-end & branch side config with the IP addresses & passwords being omitted.

Thanks in advance.

John

Francesco Molino · ‎06-24-2016

Hi

There are missing parts on the sample config you've attached.

On the branch config, tunnel interface is member of a zone but don't see any class-map and acl attached.

However on your Head-end, tunnel has no assigned zone. That could be the issue because if no zone is attached, it function as classical router ports and might still use classical stateful inspection/CBAC configuration, but without the complete view, I can't tell.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

johng231 · ‎06-24-2016

Thanks... I've included more information. Let me know if this helps you see the complete view. Again I "x" out the IP addresses and password information. What's strange is the head-end needs the GRE to be permitted on the self ACL while the branch doesn't seemed to care.

Just wondering if this is the default behavior when the GRE packet leaves the tunnel before getting IPSEC encrypted, it goes through the self-to-outside policy. However, we are performing the IPSEC profile right on the tunnel1 interface. So does GRE still passes through your outside interface or is it really encrypted IPSEC ESP at the tunnel1 interface then leaves the outside interface, therefore it wouldn't need the GRE to be permitted on the self zone policies.

thanks.

Francesco Molino · ‎06-24-2016

Hi

I see now with configs, you have a zone associated with your head end router and also all class-map and acls.

Let's say if you want to allow DMVPN users to ping the router itself, you will need to create a self specific zone configuration and in that case you'll need to add all protocols used for DMVPN including GRE.

However, what's strange is that on branch router, you haven't configured it. If no self zone was configured, traffic isn't filtered but as soon as you're touching this zone config, traffic is filtered and all protocols needs to be allowed.

To answer your question, yes it is an expected behaviour but on branch too you had to allow it.

Lot of people are facing this issue when they setup DMVPN and ZBF.

You can search on this forum or over google.

I paste only 2 links as I helped many people on that topic, I've registered only 2 of them to explain DMVPN with ZBF.

https://supportforums.cisco.com/document/60901/configuring-dmvpn-zbf-hub-and-spoke-topology

http://resources.intenseschool.com/dmvpn-cisco-ios-zbf-and-ios-nat/

Just for your information: Sometimes with ZBF, what you are expecting to be is not in reality and vice versa....

I've tested it quickly on a lab, just to be sure and on my side, if I don't authorize GRE on all routers where I modify the self zone then it won't work.

Thanks

Hope this helps.

PS: Please don't forget to rate and mark as correct answer if this solved your issue.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

GRE/IPSEC VPN on ZBFW