Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2237
Views
0
Helpful
2
Replies

IPSec anf GRE/IPSec access lists

slavon
Level 1
Level 1

‎03-03-2003 12:05 AM - edited ‎02-21-2020 12:23 PM

I am a little bit confused about access lists in two VPN solutions.

As far as I understand in first case with pure IPSec conf. you should open IP protocols esp, ahp and udp port 500. What should be open in case of GRE over IPSec? Just gre protocol or somthing else?

Labels:
0 Helpful
2 Replies 2

afakhan
Level 4
Level 4

‎03-03-2003 11:22 AM

Hi,

UDP 500 is still required, for ISAKMP negotiations.

ESP is still required to be opened, as GRE is inside ESP.

GRE needs to be opened up, as inbound ACLs are processed twice on most

IOS revs.

AHP is not required unless you have it configured.

0 Helpful

slavon
Level 1
Level 1
In response to afakhan

‎03-03-2003 11:15 PM

If you say that ESP is still required, then there is some problem. I have working (I think) config where there is no ESP protocol hit inbound access-list. Here it is.

On one router:

------------------------------------------

crypto isakmp policy 95

authentication pre-share

group 2

lifetime 900

crypto isakmp key some_key_here address X.X.X.X

crypto ipsec transform-set TS_UNIFORM_LZS ah-sha-hmac esp-des esp-sha-hmac comp-lzs

crypto map CM_RUMSK 3272 ipsec-isakmp

description KPMG ALM/KZ VPN connection

set peer X.X.X.X

set transform-set TS_UNIFORM_LZS

match address 116

interface Tunnel5

description Link to KPMG ALM/KZ

ip address 10.207.112.18 255.255.255.252

ip mtu 1400

tunnel source Serial0/0

tunnel destination X.X.X.X

crypto map CM_RUMSK

interface Serial0/0

ip access-group AL_RUMSK_WAN_IN in

crypto map CM_RUMSK

access-list 116 permit gre host Y.Y.Y.Y host X.X.X.X

ip access-list extended AL_RUMSK_WAN_IN

remark - KPMG ALM/KZ VPN/NTP to KPMGMain

permit ahp host X.X.X.X host Y.Y.Y.Y

permit udp host X.X.X.Xeq isakmp host Y.Y.Y.Y eq isakmp

permit gre host X.X.X.X host Y.Y.Y.Y

-----------------------------------------------------------------------

on other side the same but I added ESP in access list:

-------------------------------------------------------------------

permit gre host Y.Y.Y.Y host X.X.X.X

permit ahp host Y.Y.Y.Y host X.X.X.X

permit esp host Y.Y.Y.Y host X.X.X.X

permit udp host Y.Y.Y.Y eq isakmp host X.X.X.Xeq isakmp

-------------------------------------------------------------------------------

when I do "show ip access-lists" on second router I get:

permit gre host Y.Y.Y.Y host X.X.X.X (70799 matches)

permit ahp host Y.Y.Y.Y host X.X.X.X (57164 matches)

permit esp host Y.Y.Y.Y host X.X.X.X

permit udp host Y.Y.Y.Y eq isakmp host X.X.X.X eq isakmp (220 matches)

NO matches on ESP..!?

Tunnel is perfectly working. I can ping and not only ping.

by the command "sh crypto isakmp sa" I see

dst src state conn-id slot

Y.Y.Y.Y X.X.X.X QM_IDLE 1216 0

that I hope means that sa is established.

Show proc cpu command shows

75 213956616 77147222 2773 2.94% 2.51% 4.62% 0 Encrypt Proc

load is like that of IP Input. I dont know command that meant that encription is 100% working, but I think if tunnel with crypto map is working, encriptions is applied.

How would you explain this?

0 Helpful
Customers Also Viewed These Support Documents