05-21-2003 12:49 PM - edited 02-21-2020 12:33 PM
Hi All,
I just setup an IPSec tunnel, except use debug crypto ipsec / isakmp how can I verify IPSec is working? When I configure crypto map, can I use tunnel's ip as peer address.
Thanks in advance.
Banlan
Solved! Go to Solution.
05-27-2003 09:00 PM
Hi Banlan,
Thanks for your appreciation. I feel honored !
Coming back to your question, regarding GRE inside IPSec, you should use gre as the protocol in the access list; that right, you shud get points for that !! (because the ip packet is first encapsulated by GRE and then AH/ESP headers are added). Also remember that the ip address given as tunnel destination should be globally routeable. You cannot use the tunnel end-point as the tunnel destination (expect, of course when the routers are connected back to back)
See the following configs for GRE inside IPSec.
! ON THE INITIATOR
...
...
access-list 110 permit GRE host
...
crypto isakmp policy 12
authentication pre-shared
!
crypto isakmp key xxxxx address
crypto ipsec transform-set TS esp-des
!
crypto map CM 11 ipsec-isakmp
set peer
set transform-set TS
match address 110
!
interface tunnel1
ip unnumbered
tunnel source
tunnel destination
crypto map CM
!
interface
crypto map CM
!
ip route x.x.x.x
! ON THE RESPONDER
...
...
access-list 111 permit GRE host
...
crypto isakmp policy 11
authentication pre-shared
!
crypto isakmp key xxxxx address
crypto ipsec transform-set TS esp-des
!
crypto map CM 10 ipsec-isakmp
set peer
set transform-set TS
match address 111
!
interface tunnel2
ip unnumbered
tunnel source
tunnel destination
crypto map CM
!
interface
crypto map CM
!
ip route x.x.x.x
I think you have the answer now. Catch me if you want anything else.
Cheers :-))
Naveen
05-21-2003 07:41 PM
Hi Banlan,
There are many commands to verify IPSec configurations. Try out these. Depending on the IOS version some may work and some may not.
show pas isa int
show pas isa ?
show int f0/1 stats
show cry ipsec sa
show cry ipsec sa | inc compressed
show cry engine conn active
show cry engine config
Whether you can use tunnels' IP address as peer address depends on how you are configuring IPSec and GRE. There are basically 2 ways of doing it. IPSec over GRE and GRE over IPSec. There is a great deal of difference between the two. Let me know exactly what you want to know about.
Thanks,
Naveen.
05-22-2003 06:57 AM
Hi Naveen,
Thank you for your reply. I try to use some commands you gave to me to show the information, there are work except sh int f0/1 stats I can't catch any info for ipsec. Right now I am using IPSec over GRE, when I try to use tunnel's ip as peer address, it failed. Could you tell me more about GRE over IPSec.
Regards
Banlan
05-22-2003 08:02 PM
Hi Banlan,
If you are using IPSec over GRE, then your access-list has to contain the tunnel end-points as the traffic source and destination and use only GRE as the protocol (access-list 110 permit gre ....)
If you are using GRE over IPSec, then the access-list has to use the only IP protocol and use only the hosts as the traffic source and destination.
I have tried some other combinations, but they didn't work. Get back to me if you need more information.
Regards,
Naveen.
05-23-2003 11:04 AM
Hi Naveen,
Could you give more information or link to your website about GRE over IPSec? I wan to know how to configure this kind of senario. Also would you please tell me what is the best rule to pickup a interface at a CBAC environment?
I saw the IOS document at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm#15788
but very confusing. Sometime the inspection apply in the external with ACL (Remote Office to ISP Configuration Example), some used on internal interface while the ACL still on external (Ethernet Example).
Thanks a lot.
Banlan
05-26-2003 05:43 AM
Hi Banlan,
It is very rare that GRE over IPSec is used. This could possibly be required (i'm not very sure) when you want to send some traffic encrypted through the tunnel and some other unencrypted. Anyway I have tested this configuration also and saved them. I couldn't get my hands on it; i'll get you tommorrow. Is that ok ?
Meanwhile, if you trying to configure it, then please keep the following points in mind.
1. There is no change in the ISAKMP(or IKE) configuration.
2. The key authentication method remains the same.
3. The only difference is in the crypto access-list used.
Eg: The crypto access-list should look like "access-list 110 permit ip host
Best of luck,
Naveen
PS: Regarding CBAC environment, I don't have much hands-on and so I don't want to mislead by any wrong info. I'll try to get the right info if someone in our team knows well about it. Thanks :-))
05-26-2003 05:47 PM
As I undertand:
-GRE over IPSec is to encapsulate GRE packet using IPSec header(access-list 110 permit gre ...)
-IPSec over GRE is to encapsulate IPSec packet using GRE header
You can refer to http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009430a.shtml
05-27-2003 12:21 AM
Hi,
Going by the correct technical parlance, the two types are
1. GRE inside IPSec (which works for both transport and tunnel modes)
2. IPSec inside GRE (works only for tunnel mode and is not used often)
Following are the configs for IPSec inside GRE.
! ON THE INITIATOR
...
...
access-list 110 permit ip host
...
crypto isakmp policy 12
authentication pre-shared
!
crypto isakmp key xxxxx address
crypto ipsec transform-set TS esp-des
!
crypto map CM 11 ipsec-isakmp
set peer
set transform-set TS
match address 110
!
interface tunnel1
ip unnumbered
tunnel source
tunnel destination
crypto map CM
!
interface
crypto map CM
!
ip route x.x.x.x
! ON THE RESPONDER
...
...
access-list 111 permit ip host
...
crypto isakmp policy 11
authentication pre-shared
!
crypto isakmp key xxxxx address
crypto ipsec transform-set TS esp-des
!
crypto map CM 10 ipsec-isakmp
set peer
set transform-set TS
match address 111
!
interface tunnel2
ip unnumbered
tunnel source
tunnel destination
crypto map CM
!
interface
crypto map CM
!
ip route x.x.x.x
Try to configure this and let me know if there are any issues. (This is working configuration tested in our lab) :-))
Cheers,
Naveen
05-27-2003 10:51 AM
Hi Naveen ,
Thank you for your help. I really appreciate.
Actually, in my lab, I used simular configuration. The difference is I used static IP on tunnel interface and used two private subnets (behind two routers) in access-list to bring up the ipsec. So this is IPSec inside GRE (so call IPSec over GRE)
I saw the article yongl gave to me " Configuring GRE Over IPSec Between a Cisco IOS Router and a VPN 5000 Concentrator Using Dynamic Routing ". It seems to be the major difference between IPSec inside GRE and GRE inside IPSec is GRE inside IPSec can support both transport and tunnel mode, but IPSec inside GRE can not. Also at GRE Over IPSec you need use GRE traffic to bring up ipsec. Am I right?
BTW, on the RESPONDER site, I should use
Cheers!
Banlan
05-27-2003 09:00 PM
Hi Banlan,
Thanks for your appreciation. I feel honored !
Coming back to your question, regarding GRE inside IPSec, you should use gre as the protocol in the access list; that right, you shud get points for that !! (because the ip packet is first encapsulated by GRE and then AH/ESP headers are added). Also remember that the ip address given as tunnel destination should be globally routeable. You cannot use the tunnel end-point as the tunnel destination (expect, of course when the routers are connected back to back)
See the following configs for GRE inside IPSec.
! ON THE INITIATOR
...
...
access-list 110 permit GRE host
...
crypto isakmp policy 12
authentication pre-shared
!
crypto isakmp key xxxxx address
crypto ipsec transform-set TS esp-des
!
crypto map CM 11 ipsec-isakmp
set peer
set transform-set TS
match address 110
!
interface tunnel1
ip unnumbered
tunnel source
tunnel destination
crypto map CM
!
interface
crypto map CM
!
ip route x.x.x.x
! ON THE RESPONDER
...
...
access-list 111 permit GRE host
...
crypto isakmp policy 11
authentication pre-shared
!
crypto isakmp key xxxxx address
crypto ipsec transform-set TS esp-des
!
crypto map CM 10 ipsec-isakmp
set peer
set transform-set TS
match address 111
!
interface tunnel2
ip unnumbered
tunnel source
tunnel destination
crypto map CM
!
interface
crypto map CM
!
ip route x.x.x.x
I think you have the answer now. Catch me if you want anything else.
Cheers :-))
Naveen
05-29-2003 10:46 AM
Hi Naveen,
Thank you again. If you get any info about firewall feature, please let me know.
Regards
Banlan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide