cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3619
Views
0
Helpful
17
Replies
Highlighted
Beginner

Permit Ipsec protocol in ISP

Hi Guys,

I am trying to estabish a site to site ipsec tunnel . I have requesed the ISP to permit ip protocl between site Aand site  B.

I would like to know if ISP open Ip protocol will it pass all the protocol requried for ipsec tunnel and do I need to ask them to open specifical the below protocols

50 - Encapsulation Header (ESP)

51 - Authentication Header (AH)

500/udp - Internet Key Exchange (IKE)

4500/udp - NAT traversal

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Just to clarify Javier is correct, IPsec is the layer 3 protocol to which ESP and AH belong, not IP.

Sorry to disagree with you and Javier (this time).

ESP is an encapsulation that sits on top of IP (the IP-protocol is 50). So your stack will be ETH-IP-ESP. TCP (IP-protocol 6) also sits on top of IP, the stack will be ETH-IP-TCP. Both (and GRE IP/47, AH IP/51, ICMP IP/1 ...) share the same protocol which is IP.

If ESP and AH were not based on IP but something else, then they couldn't be routed through an IP-network.

And if you use an ACL with "permit ip any any", all these protocols are included. Plese try it in a lab to verify that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

17 REPLIES 17
Highlighted
VIP Mentor

From your list, you don't need AH (IP/50). It's mormally not used for VPNs. But what kind of provider is that where you need to request that you want to use your connection for normal internet-stuff?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Highlighted

I have a  private  WAN link between these 2 sites from ISP

Highlighted

ok (but still strange, also on a private link), then I would also ask for ICMP in addition to the IPSec-stuff to help you in your troubleshooting if something goes wrong.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Highlighted

I would like to know if ISP open Ip protocol will it pass all the protocol requried for ipsec (esp,isakmp .. )tunnel or do I need to ask them to open specific protocol aother than ip.

icmp is permitted I can ping bidirectinal.

Highlighted

Hi,

IP doesn't include ESP. It includes TCP/UDP/ICMP but other protocols like ESP and GRE have their own protocol numbers at the IP layer.

So you should request:

permit ip any any

permit esp any any

permit gre any any

*I am using "any any" as an example.

Let us know if you have further questions, otherwise please mark this question as answered and rate any helpful posts

Portu.

Highlighted

Hi,

I've setup a couple of S2S IPSec VPNs on our CE routers using ADSL WAN service. The protocols mentioned are usually opened at the ISP.

Sent from Cisco Technical Support iPhone App

Highlighted

Yes, if they allow "IP", then every protocol on top of ip is allowed: TCP, UDP, ICMP, ESP, AH, GRE ...

Sent from Cisco Technical Support iPad App

Highlighted

Javier Portuguez

IP doesn't include ESP. It includes TCP/UDP/ICMP but other protocols like ESP and GRE have their own protocol numbers at the IP layer.

karsten.iwen

Yes, if they allow "IP", then every protocol on top of ip is allowed: TCP, UDP, ICMP, ESP, AH, GRE ...

There is  Contradiction in above 2 statement could some one please confirm with a supporting document

I have the tunnel up but not passing the traffic .

      

Thanks

Highlighted

There is  Contradiction in above 2 statement could some one please confirm with a supporting document

From the view of IP there is no differnce in TCP/UDP/ICMP/ESP other then the ip-protocol. They are all included.

You can test it with a little setup. Connect two routers back to back and build a tunnel between them. On the outside interface you place the following ACL.

permit ip any any

permit esp any any

permit gre any any

permit ...

If they were not included you would see hitcounts not only on the first line.

I have the tunnel up but not passing the traffic .

then it's time to share your config

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Highlighted

Hi,

Just to clarify Javier is correct, IPsec is the layer 3 protocol to which ESP and AH belong, not IP.

I don't think we can find a Cisco document that explains this, though you can further read the following wiki article and RFC for ESP:

http://en.wikipedia.org/wiki/IPsec

http://tools.ietf.org/html/rfc4835

HTH

Jonnathan

Highlighted

Thanks Guys

Jonnathan Rojas : So that mean I should ask the ISP to permit "ip" and UDP 500 (isakmp) and ESP (50) right  not just "ip"  ?

Highlighted

Just to clarify Javier is correct, IPsec is the layer 3 protocol to which ESP and AH belong, not IP.

Sorry to disagree with you and Javier (this time).

ESP is an encapsulation that sits on top of IP (the IP-protocol is 50). So your stack will be ETH-IP-ESP. TCP (IP-protocol 6) also sits on top of IP, the stack will be ETH-IP-TCP. Both (and GRE IP/47, AH IP/51, ICMP IP/1 ...) share the same protocol which is IP.

If ESP and AH were not based on IP but something else, then they couldn't be routed through an IP-network.

And if you use an ACL with "permit ip any any", all these protocols are included. Plese try it in a lab to verify that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Highlighted

Karsten, your explanation makes sense and I just confirmed you are right by testing it

IP should permit ESP, didn't check GRE but as you said it should be the same thing, sorry for all the confusion cisconell

Highlighted

Thanks for all your valied inputs , but not sure whats wrong with my tunnel

1.phase 1 is not coming up

2,as in test plan will i able to ping across Site A ASA inside interface to site B inside interface

config attached