ā09-14-2012 03:19 AM - edited ā02-21-2020 06:20 PM
Hi Guys,
I am trying to estabish a site to site ipsec tunnel . I have requesed the ISP to permit ip protocl between site Aand site B.
I would like to know if ISP open Ip protocol will it pass all the protocol requried for ipsec tunnel and do I need to ask them to open specifical the below protocols
50 - Encapsulation Header (ESP)
51 - Authentication Header (AH)
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal
Thanks in advance
Solved! Go to Solution.
ā09-14-2012 09:03 AM
Just to clarify Javier is correct, IPsec is the layer 3 protocol to which ESP and AH belong, not IP.
Sorry to disagree with you and Javier (this time).
ESP is an encapsulation that sits on top of IP (the IP-protocol is 50). So your stack will be ETH-IP-ESP. TCP (IP-protocol 6) also sits on top of IP, the stack will be ETH-IP-TCP. Both (and GRE IP/47, AH IP/51, ICMP IP/1 ...) share the same protocol which is IP.
If ESP and AH were not based on IP but something else, then they couldn't be routed through an IP-network.
And if you use an ACL with "permit ip any any", all these protocols are included. Plese try it in a lab to verify that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
ā09-14-2012 03:29 AM
From your list, you don't need AH (IP/50). It's mormally not used for VPNs. But what kind of provider is that where you need to request that you want to use your connection for normal internet-stuff?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
ā09-14-2012 03:50 AM
I have a private WAN link between these 2 sites from ISP
ā09-14-2012 04:07 AM
ok (but still strange, also on a private link), then I would also ask for ICMP in addition to the IPSec-stuff to help you in your troubleshooting if something goes wrong.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
ā09-14-2012 05:14 AM
I would like to know if ISP open Ip protocol will it pass all the protocol requried for ipsec (esp,isakmp .. )tunnel or do I need to ask them to open specific protocol aother than ip.
icmp is permitted I can ping bidirectinal.
ā09-14-2012 06:02 AM
Hi,
IP doesn't include ESP. It includes TCP/UDP/ICMP but other protocols like ESP and GRE have their own protocol numbers at the IP layer.
So you should request:
permit ip any any
permit esp any any
permit gre any any
*I am using "any any" as an example.
Let us know if you have further questions, otherwise please mark this question as answered and rate any helpful posts
Portu.
ā09-14-2012 06:09 AM
Hi,
I've setup a couple of S2S IPSec VPNs on our CE routers using ADSL WAN service. The protocols mentioned are usually opened at the ISP.
Sent from Cisco Technical Support iPhone App
ā09-14-2012 07:23 AM
Yes, if they allow "IP", then every protocol on top of ip is allowed: TCP, UDP, ICMP, ESP, AH, GRE ...
Sent from Cisco Technical Support iPad App
ā09-14-2012 07:34 AM
IP doesn't include ESP. It includes TCP/UDP/ICMP but other protocols like ESP and GRE have their own protocol numbers at the IP layer.
Yes, if they allow "IP", then every protocol on top of ip is allowed: TCP, UDP, ICMP, ESP, AH, GRE ...
There is Contradiction in above 2 statement could some one please confirm with a supporting document
I have the tunnel up but not passing the traffic .
Thanks
ā09-14-2012 08:19 AM
There is Contradiction in above 2 statement could some one please confirm with a supporting document
From the view of IP there is no differnce in TCP/UDP/ICMP/ESP other then the ip-protocol. They are all included.
You can test it with a little setup. Connect two routers back to back and build a tunnel between them. On the outside interface you place the following ACL.
permit ip any any
permit esp any any
permit gre any any
permit ...
If they were not included you would see hitcounts not only on the first line.
I have the tunnel up but not passing the traffic .
then it's time to share your config
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
ā09-14-2012 08:28 AM
Hi,
Just to clarify Javier is correct, IPsec is the layer 3 protocol to which ESP and AH belong, not IP.
I don't think we can find a Cisco document that explains this, though you can further read the following wiki article and RFC for ESP:
http://en.wikipedia.org/wiki/IPsec
http://tools.ietf.org/html/rfc4835
HTH
Jonnathan
ā09-14-2012 08:55 AM
Thanks Guys
Jonnathan Rojas : So that mean I should ask the ISP to permit "ip" and UDP 500 (isakmp) and ESP (50) right not just "ip" ?
ā09-14-2012 09:03 AM
Just to clarify Javier is correct, IPsec is the layer 3 protocol to which ESP and AH belong, not IP.
Sorry to disagree with you and Javier (this time).
ESP is an encapsulation that sits on top of IP (the IP-protocol is 50). So your stack will be ETH-IP-ESP. TCP (IP-protocol 6) also sits on top of IP, the stack will be ETH-IP-TCP. Both (and GRE IP/47, AH IP/51, ICMP IP/1 ...) share the same protocol which is IP.
If ESP and AH were not based on IP but something else, then they couldn't be routed through an IP-network.
And if you use an ACL with "permit ip any any", all these protocols are included. Plese try it in a lab to verify that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
ā09-14-2012 09:24 AM
Karsten, your explanation makes sense and I just confirmed you are right by testing it
IP should permit ESP, didn't check GRE but as you said it should be the same thing, sorry for all the confusion cisconell
ā09-14-2012 09:43 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide