Re: Need help understanding this config with Tunnel and IPsec

intertechusa · ‎05-10-2004

Hi,

I'm new to VPNs and am trying to decipher this config. It seems there is a GRE tunnel and an IPsec VPN configured. Does this config look valid? Why would there be a crypto map configured but not applied to an interface? Is all the IPsec config for the GRE tunnel? Plus there is no access-list 110 configured. Is it possible that they haven't implemented the VPN and are only using the tunnel? I'm going to be installing a PIX behind this router. We have a public .252 network for this. Will I be needing to move the VPN the PIX?

Thanks

crypto isakmp policy 5

hash md5

authentication pre-share

crypto isakmp key alpskey5 address 122.223.42.22

!

crypto ipsec transform-set to_east esp-des esp-md5-hmac

!

crypto map alpsvpn 5 ipsec-isakmp

! Incomplete

set peer 122.223.42.22

set transform-set to_east

match address 110

interface Tunnel1

ip address 10.255.255.193 255.255.255.252

ip helper-address 192.168.10.255

ip directed-broadcast

tunnel source Serial0/0

tunnel destination 222.252.241.43

tunnel key 55555

interface FastEthernet0/0

ip address 204.x.x.x.255.255.0 secondary

ip address 10.255.255.190 255.255.255.252 secondary

ip address 10.0.1.1 255.255.255.0

ip access-group inside_out in

ip helper-address 10.0.1.255

ip helper-address 204.243.19.255

ip helper-address 192.168.0.255

ip directed-broadcast

ip nat inside

speed auto

full-duplex

!

interface Serial0/0

description T1 to Internet (AT&T)

ip address 12.x.x.x.x.255.252

ip access-group 105 in

ip nat outside

ip inspect outside in

ip inspect firewall out

encapsulation ppp

no fair-queue

!

interface Serial0/1

description T1 to Richmond (Sprint)

ip address 10.255.255.202 255.255.255.252

ip directed-broadcast

ip nat inside

ip route 10.255.255.200 255.255.255.252 Tunnel1

ip route 122.x.x.x.x.255.252 Serial0/1

ip route 192.168.10.0 255.255.255.0 Tunnel1

Richard Burts · ‎05-12-2004

This config has a GRE tunnel and PART OF IPSec - but it is certainly not complete. As it stands IPSec would not work. Is this from a live config which is actually passing traffic, or perhaps from a lab environment or a plan for a config which was not actually implemented? If it is a live config then it is passing traffic over the GRE and IPSec plays no role.

HTH

Rick

intertechusa · ‎05-12-2004

It is a live config (IPs have been changed). That is what I kind of thought after reading up on configuring IPsec. I have couple more questions:

1 - Why is there a static route for network 10.255.255.200/30 pointing to the Tunnel1 when that network is directly connected to a s0/1?

ROUTER#sho ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C 204.x.x.0/24 is directly connected, FastEthernet0/0

65.0.0.0/28 is subnetted, 1 subnets

S 65.173.1.0 is directly connected, Serial0/1

S 192.168.10.0/24 is directly connected, Tunnel1

122.223.0.0/30 is subnetted, 1 subnets

S 144.223.42.20 is directly connected, Serial0/1

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.0.1.0/24 is directly connected, FastEthernet0/0

C 10.255.255.188/30 is directly connected, FastEthernet0/0

C 10.255.255.200/30 is directly connected, Serial0/1

C 10.255.255.192/30 is directly connected, Tunnel1

S 192.168.0.0/24 is directly connected, Serial0/1

12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 12.x.x.5/32 is directly connected, Serial0/0

C 12.x.x.4/30 is directly connected, Serial0/0

S 192.168.16.0/24 [1/0] via 10.0.1.47

S 192.168.1.0/24 [1/0] via 10.0.1.253

S* 0.0.0.0/0 is directly connected, Serial0/0

2- The Tunnel currently terminates to the router and is assigned a private address. When I add in the PIX behind the router the router will no longer be doing NAT and the network directly behind the router is public/routable. I'm not clear on how I terminate the Tunnel to the inside network behind the firewall. It seems I would need another router to terminate the Tunnel on the private network.