05-20-2013 03:09 AM
Hello all
I am currently studying my CCNA at university and we are doing a group project and have to set up a encrypted vpn tunnel. It is a lab enviroment which is the reason fast ethernet ports are being used for the wan link between sites. Our tunnel is working as we only get eigrp ajacency when the tunnel is activated but it is not encrypting the traffic. I have pasted the config from the two routers below in hope that someone will spot the problem, missing parameter etc. Thanks in advance:
Melbourne Router | Ballarat Router |
---|---|
sh run Building configuration... Current configuration : 2701 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Melbourne ! boot-start-marker boot-end-marker ! enable secret 5 $1$a6cF$hku9VwfFY2t91gYi56.f00 enable password cisco ! no aaa new-model ! ! ip cef ! ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! multilink bundle-name authenticated ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! archive log config hidekeys ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key 0zMult1 address 192.168.200.30 ! ! crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac ! crypto map VPN-MAP 10 ipsec-isakmp set peer 192.168.200.30 set security-association lifetime seconds 28800 set transform-set VPN-SET match address VPN-ACL ! ! ! ! ! ! ! interface Tunnel0 ip address 10.31.31.1 255.255.255.252 tunnel source FastEthernet0/1 tunnel destination 192.168.200.30 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip address 172.17.0.254 255.255.255.0 ip helper-address 172.17.5.1 ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip address 172.17.1.254 255.255.255.0 ip helper-address 172.17.5.1 ! interface FastEthernet0/0.4 encapsulation dot1Q 4 ip address 172.17.2.254 255.255.255.0 ip helper-address 172.17.5.1 ! interface FastEthernet0/0.5 encapsulation dot1Q 5 ip address 172.17.3.254 255.255.255.0 ip helper-address 172.17.5.1 ! interface FastEthernet0/0.6 encapsulation dot1Q 6 ip address 172.17.4.254 255.255.255.0 ip helper-address 172.17.5.1 ! interface FastEthernet0/0.10 encapsulation dot1Q 10 ip address 172.17.5.22 255.255.255.248 interface FastEthernet0/0.20 encapsulation dot1Q 20 ip address 172.17.5.14 255.255.255.240 ! interface FastEthernet0/0.99 encapsulation dot1Q 99 native ip address 172.17.99.254 255.255.255.0 ! interface FastEthernet0/1 ip address 192.168.100.29 255.255.255.0 duplex auto speed auto crypto map VPN-MAP ! router eigrp 32 network 10.31.31.0 0.0.0.3 network 172.17.0.0 0.0.0.255 network 172.17.1.0 0.0.0.255 network 172.17.2.0 0.0.0.255 network 172.17.3.0 0.0.0.255 network 172.17.4.0 0.0.0.255 network 172.17.5.0 0.0.0.15 network 172.17.5.16 0.0.0.7 no auto-summary ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.100.1 ! ! ip http server no ip http secure-server ! ip access-list extended VPN-ACL permit gre host 10.31.31.1 host 10.31.31.2 ! ! ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 logging synchronous line aux 0 line vty 0 4 password ciscoccna login ! scheduler allocate 20000 1000 ! end Melbourne | sh run Building configuration... Current configuration : 2371 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Ballarat ! boot-start-marker boot-end-marker ! enable secret 5 $1$jo2Y$N/21BdfKAKs5A.N6xuMBd0 enable password cisco ! no aaa new-model ! ! ip cef ! ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! multilink bundle-name authenticated ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! archive log config hidekeys ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key 0zMult1 address 192.168.100.29 ! ! crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac ! crypto map VPN-MAP 10 ipsec-isakmp set peer 192.168.100.29 set security-association lifetime seconds 28880 set transform-set VPN-SET match address VPN-ACL ! ! ! ! ! ! ! interface Tunnel0 ip address 10.31.31.2 255.255.255.252 tunnel source FastEthernet0/1 tunnel destination 192.168.100.29 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.7 encapsulation dot1Q 7 ip address 172.17.32.254 255.255.255.0 ip helper-address 172.17.35.1 ! interface FastEthernet0/0.8 encapsulation dot1Q 8 ip address 172.17.33.254 255.255.255.0 ip helper-address 172.17.35.1 ! interface FastEthernet0/0.9 encapsulation dot1Q 9 ip address 172.17.34.254 255.255.255.0 ip helper-address 172.17.35.1 ! interface FastEthernet0/0.30 encapsulation dot1Q 30 ip address 172.17.35.14 255.255.255.240 ! interface FastEthernet0/0.99 encapsulation dot1Q 99 native ip address 172.17.99.254 255.255.255.0 ! interface FastEthernet0/1 ip address 192.168.200.30 255.255.255.0 duplex auto speed auto ! router eigrp 32 network 10.31.31.0 0.0.0.3 network 172.17.32.0 0.0.0.255 network 172.17.33.0 0.0.0.255 network 172.17.34.0 0.0.0.255 network 172.17.35.0 0.0.0.15 no auto-summary ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.200.1 ! ! ip http server no ip http secure-server ! ip access-list extended VPN-ACL permit gre host 10.31.31.2 host 10.31.31.1 permit ip 172.17.0.0 0.0.255.255 172.17.0.0 0.0.255.255 permit ip host 192.168.200.30 host 192.168.100.29 ! ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 logging synchronous line aux 0 line vty 0 4 password ciscoccna login ! scheduler allocate 20000 1000 ! end Ballarat# |
Solved! Go to Solution.
05-21-2013 04:08 AM
Hello,
1. Crypto maps on tunnel interfaces are not supported. Can you remove that?
2. Your crypto ACL should be permit gre host 192.168.100.29 host 192.168.200.30 [ since you want to protect GRE - so you will select the tunnel source and destination end points]
Cheers,
05-22-2013 01:05 AM
You are mixing up two different ways to implement VPNs:
1) pure IPSec:
The ip-packet is routed to the outside interface. A crypto map is applied there with an crypto-acl that specifies the end-to-end communication, for example the traffic from 172.17.0.0/19 to 172.17.32.0/19. The packet gets encapsulated/protected and the resulting IPsec-packet is sent to the other side. No Tunnel-interface or GRE is involved here.
2) The GRE-approach:
The packet gets routed into a configured tunnel-interface (the routing can be done with EIGRP like in your example). The tunnel-destination is reachable through an interface where the crypto-map is applied. This crypto-map only has to act on the GRE-packets, these have to be specified in the crypto-acl. In that case you do not need any end-to-end definition in your crypto acl.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
05-20-2013 03:44 AM
As you are in the process of learning the stuff, there is no working config in my posting ... ;-)
Think about the definition of a crypto-ACL where you specify which traffic should be protected and at the same time which traffic is expected to arrive protectes. A rule of thumb was that theses ACLs should be symetrical on both ends (most of the times). In your config they are not.
Then think about the encapsulation-process how an IP-packet travels to the router, gets encapsulated into GRE and that resulting packet gets protected with IPsec. With that you know which entry you need in that crypto ACL.
And think about what activates your IPsec-policy (crypto-map). Is there everything in place what is needed?
And as an optional exercise think about the difference of tunnel- and transport mode and what that means for your resulting IPsec-packets.
Have fun with your IPsec-lab!
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
05-20-2013 04:45 PM
Thank you for the reply, I understand what youre saying to a degree. This is a university project but we are encouraged to research the answers to the problem from the internet. The project is an industry standard works that is a combination of all skills gained in our course including, Windows Server, RHEL, Cisco and Security principles. My role is actually to configure and maintain our three rhel server boxes but my team is struggling with the cisco config hence my post in these forums. Cheers Travis
05-20-2013 10:13 PM
On top of what Karsten is saying. U need to understand the concept of encapsulation. Looking at your proxy ACL, it seems you dont get it right.
Basically you dont need to protect gre between the 2 10.x addresses, but if you construct the packet on paper, you will see your crypto ACL need to protect GRE between 192.168.200.30 and 192.168.100.29
Of course the ACL need to be mirrored on the other side accordingly.
Cheers,
Olivier
05-21-2013 12:40 AM
I have taken the advice and reconfigured the routers from the start the config is below. When I do an extended ping from eg: 172.17.0.254 to 172.17.32.254 the encryption works but in normal operation eg: ping 172.17.32.254 from melbourne router it is not encrypted. Your help so far has been greatly appreciated I feel like im close but just missing something.
Melbourne | Ballarat |
---|---|
sh run Building configuration... Current configuration : 2514 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Melbourne ! boot-start-marker boot-end-marker ! enable secret 5 $1$7qHs$UoHdnPwf3r1XMEuZDNOj2/ ! no aaa new-model ! ! ip cef ! ! no ip domain lookup ip auth-proxy max-nodata-conns 3 --More-- ip admission max-nodata-conns 3 ! multilink bundle-name authenticated ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! --More-- ! ! ! ! archive log config hidekeys ! ! crypto isakmp policy 1 encr aes authentication pre-share group 5 crypto isakmp key 0zMult1 address 192.168.200.30 ! ! crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac ! crypto map vpn 10 ipsec-isakmp set peer 192.168.200.30 set transform-set esp-aes-sha match address 101 ! --More-- ! ! ! ! ! ! interface Tunnel0 ip address 10.31.31.1 255.255.255.252 keepalive 10 3 tunnel source FastEthernet0/1 tunnel destination 192.168.200.30 crypto map vpn ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip address 172.17.0.254 255.255.255.0 ip helper-address 172.17.5.1 ! --More-- interface FastEthernet0/0.3 encapsulation dot1Q 3 ip address 172.17.1.254 255.255.255.0 ip helper-address 172.17.5.1 ! interface FastEthernet0/0.4 encapsulation dot1Q 4 ip address 172.17.2.254 255.255.255.0 ip helper-address 172.17.5.1 ! interface FastEthernet0/0.5 encapsulation dot1Q 5 ip address 172.17.3.254 255.255.255.0 ip helper-address 172.17.5.1 ! interface FastEthernet0/0.6 encapsulation dot1Q 6 ip address 172.17.4.254 255.255.255.0 ip helper-address 172.17.5.1 ! interface FastEthernet0/0.10 encapsulation dot1Q 10 ip address 172.17.5.22 255.255.255.248 --More-- ! interface FastEthernet0/0.20 encapsulation dot1Q 20 ip address 172.17.5.14 255.255.255.240 ! interface FastEthernet0/1 ip address 192.168.100.29 255.255.255.0 duplex auto speed auto crypto map vpn ! router eigrp 32 network 10.31.31.0 0.0.0.3 network 172.17.0.0 0.0.63.255 no auto-summary neighbor 10.31.31.2 Tunnel0 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.100.1 ip route 172.17.32.0 255.255.224.0 FastEthernet0/1 ! ! ip http server --More-- no ip http secure-server ! access-list 101 permit ip 172.17.0.0 0.0.63.255 172.17.32.0 0.0.31.255 ! ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 password 0zMult1 logging synchronous --More-- login line aux 0 line vty 0 4 password 0zMult1 login line vty 5 15 password 0zMult1 login ! scheduler allocate 20000 1000 ! end Melbourne# | sh run Building configuration... Current configuration : 2311 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Ballarat ! boot-start-marker boot-end-marker ! enable secret 5 $1$t57B$BHoVOKDxpTEcXwWeIO4y1/ ! no aaa new-model ! ! ip cef ! ! no ip domain lookup ip auth-proxy max-nodata-conns 3 --More-- ip admission max-nodata-conns 3 ! multilink bundle-name authenticated ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! --More-- ! ! ! ! archive log config hidekeys ! ! crypto isakmp policy 1 encr aes authentication pre-share group 5 crypto isakmp key 0zMult1 address 192.168.100.29 ! ! crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac ! crypto map vpn 10 ipsec-isakmp set peer 192.168.100.29 set transform-set esp-aes-sha match address 101 ! --More-- ! ! ! ! ! ! interface Tunnel0 ip address 10.31.31.2 255.255.255.252 keepalive 10 3 tunnel source FastEthernet0/1 tunnel destination 192.168.100.29 crypto map vpn ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.7 encapsulation dot1Q 7 ip address 172.17.32.254 255.255.255.0 ip helper-address 172.17.35.1 ! --More-- interface FastEthernet0/0.8 encapsulation dot1Q 8 ip address 172.17.33.254 255.255.255.0 ip helper-address 172.17.35.1 ! interface FastEthernet0/0.9 encapsulation dot1Q 9 ip address 172.17.34.254 255.255.255.0 ip helper-address 172.17.35.1 ! interface FastEthernet0/0.30 encapsulation dot1Q 30 ip address 172.17.35.14 255.255.255.240 ! interface FastEthernet0/1 ip address 192.168.200.30 255.255.255.0 duplex auto speed auto crypto map vpn ! router eigrp 32 passive-interface default no passive-interface Tunnel0 --More-- network 10.31.31.0 0.0.0.3 network 172.17.32.0 0.0.0.255 network 172.17.33.0 0.0.0.255 network 172.17.34.0 0.0.0.255 network 172.17.35.0 0.0.0.15 network 172.17.32.0 0.0.31.255 no auto-summary neighbor 10.31.31.1 Tunnel0 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.200.1 ! ! ip http server no ip http secure-server ! access-list 101 permit ip 172.17.32.0 0.0.31.255 172.17.0.0 0.0.63.255 ! ! ! ! ! ! --More-- control-plane ! ! ! ! ! ! ! ! ! ! line con 0 password 0zMult1 logging synchronous login line aux 0 line vty 0 4 password 0zMult1 login line vty 5 15 password 0zMult1 login ! --More-- scheduler allocate 20000 1000 ! end Ballarat# |
05-21-2013 04:08 AM
Hello,
1. Crypto maps on tunnel interfaces are not supported. Can you remove that?
2. Your crypto ACL should be permit gre host 192.168.100.29 host 192.168.200.30 [ since you want to protect GRE - so you will select the tunnel source and destination end points]
Cheers,
05-21-2013 08:05 PM
So I need to removed the crypto map from the tunnel0 and should create an extended ACL such as:
ip access-list extended VPN-ACL
permit ip 172.17.0.0 0.0.255.255 172.17.0.0 0.0.255.255
permit GRE host 192.168.200.30 host 192.168.100.29
apply that to the crypto map and the mirror it on the other router?
Thanks so much to everyone for their input I have learnt a lot.
Cheers
05-22-2013 01:05 AM
You are mixing up two different ways to implement VPNs:
1) pure IPSec:
The ip-packet is routed to the outside interface. A crypto map is applied there with an crypto-acl that specifies the end-to-end communication, for example the traffic from 172.17.0.0/19 to 172.17.32.0/19. The packet gets encapsulated/protected and the resulting IPsec-packet is sent to the other side. No Tunnel-interface or GRE is involved here.
2) The GRE-approach:
The packet gets routed into a configured tunnel-interface (the routing can be done with EIGRP like in your example). The tunnel-destination is reachable through an interface where the crypto-map is applied. This crypto-map only has to act on the GRE-packets, these have to be specified in the crypto-acl. In that case you do not need any end-to-end definition in your crypto acl.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide