Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
835
Views
0
Helpful
3
Replies

ipsec gre tunnel explanation

Go to solution
atlewis9777
Level 1
Level 1

‎09-28-2011 12:56 PM - edited ‎02-21-2020 05:37 PM

I have been doing some testing with mGRE tunnels and adding ipsec encryption to them so I can route my voip phones through the tunnels.  I have found something interesting and looking for an explanation as to why this is.

I have 3 sites one of which is considered the hub and the other two sites considered a spoke.  I create the following configurations on all three routers:

crypto isakmp policy 5

encryption aes 128

authentication pre-share

group 2

crypto isakmp key XXXX address 0.0.0.0 0.0.0.0

crypto ipsec transform-set strong esp-aes esp-sha-hmac

crypto ipsec profile medium

  set trasform-set medium

then under the tunnel interface I apply the following command:

tunnel protection ipsec profile medium

With this config the first tunnel between the hub and spoke 1 comes up no problems, however the spoke 2 router will never establish a tunnel.

What I have discovered is if I change this command on all three routers all of the tunnels come up and everything works but why?

crypto isakmp key XXXX address 0.0.0.0 0.0.0.0 no-xauth

Why does adding the no-xauth allow all of the tunnels to establish connectivity?

What exactly does the no-xauth do and does adding it pose any security risk?

Thanks for any input.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
raga.fusionet
Level 4
Level 4

‎09-28-2011 01:33 PM

Hi There,

The "no x-auth" keyword is telling the router not try extended authentication for the VPN tunnels.

Extended authentication (username and password) is used only when you are connecting VPN clients. If you have VPN clients and dynamic keys configured on the router you must add the "no x-auth" keyword at the end of those lines so that it doesnt try to authenticate the routers using a a user/pass combination.

The keyword is there for that specific reason and you are not adding any security risk by adding it.

HTH.

Raga

View solution in original post

0 Helpful
3 Replies 3

Go to solution
raga.fusionet
Level 4
Level 4

‎09-28-2011 01:33 PM

Hi There,

The "no x-auth" keyword is telling the router not try extended authentication for the VPN tunnels.

Extended authentication (username and password) is used only when you are connecting VPN clients. If you have VPN clients and dynamic keys configured on the router you must add the "no x-auth" keyword at the end of those lines so that it doesnt try to authenticate the routers using a a user/pass combination.

The keyword is there for that specific reason and you are not adding any security risk by adding it.

HTH.

Raga

0 Helpful

Go to solution
atlewis9777
Level 1
Level 1
In response to raga.fusionet

‎09-28-2011 02:12 PM

Raga,

   Thank You for your answer.  This certainly cleared up my questions and concerns about this command.

0 Helpful

Go to solution
raga.fusionet
Level 4
Level 4
In response to atlewis9777

‎09-28-2011 02:14 PM

Great. Glad I could help

0 Helpful
Customers Also Viewed These Support Documents