03-03-2003 12:05 AM - edited 02-21-2020 12:23 PM
I am a little bit confused about access lists in two VPN solutions.
As far as I understand in first case with pure IPSec conf. you should open IP protocols esp, ahp and udp port 500. What should be open in case of GRE over IPSec? Just gre protocol or somthing else?
03-03-2003 11:22 AM
Hi,
UDP 500 is still required, for ISAKMP negotiations.
ESP is still required to be opened, as GRE is inside ESP.
GRE needs to be opened up, as inbound ACLs are processed twice on most
IOS revs.
AHP is not required unless you have it configured.
03-03-2003 11:15 PM
If you say that ESP is still required, then there is some problem. I have working (I think) config where there is no ESP protocol hit inbound access-list. Here it is.
On one router:
------------------------------------------
crypto isakmp policy 95
authentication pre-share
group 2
lifetime 900
crypto isakmp key some_key_here address X.X.X.X
crypto ipsec transform-set TS_UNIFORM_LZS ah-sha-hmac esp-des esp-sha-hmac comp-lzs
crypto map CM_RUMSK 3272 ipsec-isakmp
description KPMG ALM/KZ VPN connection
set peer X.X.X.X
set transform-set TS_UNIFORM_LZS
match address 116
interface Tunnel5
description Link to KPMG ALM/KZ
ip address 10.207.112.18 255.255.255.252
ip mtu 1400
tunnel source Serial0/0
tunnel destination X.X.X.X
crypto map CM_RUMSK
interface Serial0/0
ip access-group AL_RUMSK_WAN_IN in
crypto map CM_RUMSK
access-list 116 permit gre host Y.Y.Y.Y host X.X.X.X
ip access-list extended AL_RUMSK_WAN_IN
remark - KPMG ALM/KZ VPN/NTP to KPMGMain
permit ahp host X.X.X.X host Y.Y.Y.Y
permit udp host X.X.X.Xeq isakmp host Y.Y.Y.Y eq isakmp
permit gre host X.X.X.X host Y.Y.Y.Y
-----------------------------------------------------------------------
on other side the same but I added ESP in access list:
-------------------------------------------------------------------
permit gre host Y.Y.Y.Y host X.X.X.X
permit ahp host Y.Y.Y.Y host X.X.X.X
permit esp host Y.Y.Y.Y host X.X.X.X
permit udp host Y.Y.Y.Y eq isakmp host X.X.X.Xeq isakmp
-------------------------------------------------------------------------------
when I do "show ip access-lists" on second router I get:
permit gre host Y.Y.Y.Y host X.X.X.X (70799 matches)
permit ahp host Y.Y.Y.Y host X.X.X.X (57164 matches)
permit esp host Y.Y.Y.Y host X.X.X.X
permit udp host Y.Y.Y.Y eq isakmp host X.X.X.X eq isakmp (220 matches)
NO matches on ESP..!?
Tunnel is perfectly working. I can ping and not only ping.
by the command "sh crypto isakmp sa" I see
dst src state conn-id slot
Y.Y.Y.Y X.X.X.X QM_IDLE 1216 0
that I hope means that sa is established.
Show proc cpu command shows
75 213956616 77147222 2773 2.94% 2.51% 4.62% 0 Encrypt Proc
load is like that of IP Input. I dont know command that meant that encription is 100% working, but I think if tunnel with crypto map is working, encriptions is applied.
How would you explain this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide