Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2431
Views
10
Helpful
7
Replies

VPN Question about Encryption

Go to solution
travis.slessar
Level 1
Level 1

‎05-20-2013 03:09 AM

Hello all

I am currently studying my CCNA at university and we are doing a group project and have to set up a encrypted vpn tunnel. It is a lab enviroment which is the reason fast ethernet ports are being used for the wan link between sites. Our tunnel is working as we only get eigrp ajacency when the tunnel is activated but it is not encrypting the traffic. I have pasted the config from the two routers below in hope that someone will spot the problem, missing parameter etc. Thanks in advance:

Melbourne RouterBallarat Router

sh run

Building configuration...

Current configuration : 2701 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Melbourne

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$a6cF$hku9VwfFY2t91gYi56.f00

enable password cisco

!

no aaa new-model

!

!

ip cef

!

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

archive

log config

  hidekeys

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key 0zMult1 address 192.168.200.30

!

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

set peer 192.168.200.30

set security-association lifetime seconds 28800

set transform-set VPN-SET match address VPN-ACL

!

!

!

!

!

!

!

interface Tunnel0

ip address 10.31.31.1 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 192.168.200.30

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip address 172.17.0.254 255.255.255.0

ip helper-address 172.17.5.1

!

interface FastEthernet0/0.3

encapsulation dot1Q 3

ip address 172.17.1.254 255.255.255.0

ip helper-address 172.17.5.1

!

interface FastEthernet0/0.4

encapsulation dot1Q 4

ip address 172.17.2.254 255.255.255.0

ip helper-address 172.17.5.1

!

interface FastEthernet0/0.5

encapsulation dot1Q 5

ip address 172.17.3.254 255.255.255.0

ip helper-address 172.17.5.1

!

interface FastEthernet0/0.6

encapsulation dot1Q 6

ip address 172.17.4.254 255.255.255.0

ip helper-address 172.17.5.1

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 172.17.5.22 255.255.255.248

interface FastEthernet0/0.20

encapsulation dot1Q 20

ip address 172.17.5.14 255.255.255.240

!

interface FastEthernet0/0.99

encapsulation dot1Q 99 native

ip address 172.17.99.254 255.255.255.0

!

interface FastEthernet0/1

ip address 192.168.100.29 255.255.255.0

duplex auto

speed auto

crypto map VPN-MAP

!

router eigrp 32

network 10.31.31.0 0.0.0.3

network 172.17.0.0 0.0.0.255

network 172.17.1.0 0.0.0.255

network 172.17.2.0 0.0.0.255

network 172.17.3.0 0.0.0.255

network 172.17.4.0 0.0.0.255

network 172.17.5.0 0.0.0.15

network 172.17.5.16 0.0.0.7

no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.100.1

!

!

ip http server

no ip http secure-server

!

ip access-list extended VPN-ACL

permit gre host 10.31.31.1 host 10.31.31.2

!

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password ciscoccna

login

!

scheduler allocate 20000 1000

!

end

Melbourne

sh run

Building configuration...

Current configuration : 2371 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Ballarat

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$jo2Y$N/21BdfKAKs5A.N6xuMBd0

enable password cisco

!

no aaa new-model

!

!

ip cef

!

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

archive

log config

  hidekeys

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key 0zMult1 address 192.168.100.29

!

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

set peer 192.168.100.29

set security-association lifetime seconds 28880

set transform-set VPN-SET match address VPN-ACL

!

!

!

!

!

!

!

interface Tunnel0

ip address 10.31.31.2 255.255.255.252

tunnel source FastEthernet0/1

tunnel destination 192.168.100.29

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.7

encapsulation dot1Q 7

ip address 172.17.32.254 255.255.255.0

ip helper-address 172.17.35.1

!

interface FastEthernet0/0.8

encapsulation dot1Q 8

ip address 172.17.33.254 255.255.255.0

ip helper-address 172.17.35.1

!

interface FastEthernet0/0.9

encapsulation dot1Q 9

ip address 172.17.34.254 255.255.255.0

ip helper-address 172.17.35.1

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 172.17.35.14 255.255.255.240

!

interface FastEthernet0/0.99

encapsulation dot1Q 99 native

ip address 172.17.99.254 255.255.255.0

!

interface FastEthernet0/1

ip address 192.168.200.30 255.255.255.0

duplex auto

speed auto

!

router eigrp 32

network 10.31.31.0 0.0.0.3

network 172.17.32.0 0.0.0.255

network 172.17.33.0 0.0.0.255

network 172.17.34.0 0.0.0.255

network 172.17.35.0 0.0.0.15

no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.200.1

!

!

ip http server

no ip http secure-server

!

ip access-list extended VPN-ACL

permit gre host 10.31.31.2 host 10.31.31.1

permit ip 172.17.0.0 0.0.255.255 172.17.0.0 0.0.255.255

permit ip host 192.168.200.30 host 192.168.100.29

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password ciscoccna

login

!

scheduler allocate 20000 1000

!

end

Ballarat#

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
olpeleri
Cisco Employee
Cisco Employee
In response to travis.slessar

‎05-21-2013 04:08 AM

Hello,

1. Crypto maps on tunnel interfaces are not supported. Can you remove that?

2. Your crypto ACL should be permit gre host 192.168.100.29 host 192.168.200.30 [ since you want to protect GRE - so you will select the tunnel source and destination end points]

Cheers,

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to travis.slessar

‎05-22-2013 01:05 AM

You are mixing up two different ways to implement VPNs:

1) pure IPSec:

The ip-packet is routed to the outside interface. A crypto map is applied there with an crypto-acl that specifies the end-to-end communication, for example the traffic from 172.17.0.0/19 to 172.17.32.0/19. The packet gets encapsulated/protected and the resulting IPsec-packet is sent to the other side. No Tunnel-interface or GRE is involved here.

2) The GRE-approach:

The packet gets routed into a configured tunnel-interface (the routing can be done with EIGRP like in your example). The tunnel-destination is reachable through an interface where the crypto-map is applied. This crypto-map only has to act on the GRE-packets, these have to be specified in the crypto-acl. In that case you do not need any end-to-end definition in your crypto acl.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

‎05-20-2013 03:44 AM

As you are in the process of learning the stuff, there is no working config in my posting ... ;-)

Think about the definition of a crypto-ACL where you specify which traffic should be protected and at the same time which traffic is expected to arrive protectes. A rule of thumb was that theses ACLs should be symetrical on both ends (most of the times). In your config they are not.

Then think about the encapsulation-process how an IP-packet travels to the router, gets encapsulated into GRE and that resulting packet gets protected with IPsec. With that you know which entry you need in that crypto ACL.

And think about what activates your IPsec-policy (crypto-map). Is there everything in place what is needed?

And as an optional exercise think about the difference of tunnel- and transport mode and what that means for your resulting IPsec-packets.

Have fun with your IPsec-lab!

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Go to solution
travis.slessar
Level 1
Level 1
In response to Karsten Iwen

‎05-20-2013 04:45 PM

Thank you for the reply, I understand what youre saying to a degree. This is a university project but we are encouraged to research the answers to the problem from the internet. The project is an industry standard works that is a combination of all skills gained in our course including, Windows Server, RHEL, Cisco and Security principles. My role is actually to configure and maintain our three rhel server boxes but my team is struggling with the cisco config hence my post in these forums. Cheers Travis

0 Helpful

Go to solution
olpeleri
Cisco Employee
Cisco Employee
In response to travis.slessar

‎05-20-2013 10:13 PM

On top of what Karsten is saying. U need to understand the concept of encapsulation. Looking at your proxy ACL, it seems you dont get it right.

Basically you dont need to protect gre between the 2 10.x addresses, but if you construct the packet on paper, you will see your crypto ACL need to protect GRE between 192.168.200.30 and 192.168.100.29

Of course the ACL need to be mirrored on the other side accordingly.

Cheers,

Olivier

Go to solution
travis.slessar
Level 1
Level 1
In response to olpeleri

‎05-21-2013 12:40 AM

I have taken the advice and reconfigured the routers from the start the config is below. When I do an extended ping from eg: 172.17.0.254 to 172.17.32.254 the encryption works but in normal operation eg: ping 172.17.32.254 from melbourne router it is not encrypted. Your help so far has been greatly appreciated I feel like im close but just missing something.

MelbourneBallarat

sh run

Building configuration...

Current configuration : 2514 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Melbourne

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$7qHs$UoHdnPwf3r1XMEuZDNOj2/

!

no aaa new-model

!

!

ip cef

!

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

--More--                           ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

--More--                           !

!

!

!

archive

log config

  hidekeys

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 5

crypto isakmp key 0zMult1 address 192.168.200.30

!

!

crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer 192.168.200.30

set transform-set esp-aes-sha

match address 101

!

--More--                           !

!

!

!

!

!

interface Tunnel0

ip address 10.31.31.1 255.255.255.252

keepalive 10 3

tunnel source FastEthernet0/1

tunnel destination 192.168.200.30

crypto map vpn

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip address 172.17.0.254 255.255.255.0

ip helper-address 172.17.5.1

!

--More--                           interface FastEthernet0/0.3

encapsulation dot1Q 3

ip address 172.17.1.254 255.255.255.0

ip helper-address 172.17.5.1

!

interface FastEthernet0/0.4

encapsulation dot1Q 4

ip address 172.17.2.254 255.255.255.0

ip helper-address 172.17.5.1

!

interface FastEthernet0/0.5

encapsulation dot1Q 5

ip address 172.17.3.254 255.255.255.0

ip helper-address 172.17.5.1

!

interface FastEthernet0/0.6

encapsulation dot1Q 6

ip address 172.17.4.254 255.255.255.0

ip helper-address 172.17.5.1

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 172.17.5.22 255.255.255.248

--More--                           !

interface FastEthernet0/0.20

encapsulation dot1Q 20

ip address 172.17.5.14 255.255.255.240

!

interface FastEthernet0/1

ip address 192.168.100.29 255.255.255.0

duplex auto

speed auto

crypto map vpn

!

router eigrp 32

network 10.31.31.0 0.0.0.3

network 172.17.0.0 0.0.63.255

no auto-summary

neighbor 10.31.31.2 Tunnel0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.100.1

ip route 172.17.32.0 255.255.224.0 FastEthernet0/1

!

!

ip http server

--More--                           no ip http secure-server

!

access-list 101 permit ip 172.17.0.0 0.0.63.255 172.17.32.0 0.0.31.255

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

password 0zMult1

logging synchronous

--More--                            login

line aux 0

line vty 0 4

password 0zMult1

login

line vty 5 15

password 0zMult1

login

!

scheduler allocate 20000 1000

!

end

Melbourne#

sh run

Building configuration...

Current configuration : 2311 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Ballarat

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$t57B$BHoVOKDxpTEcXwWeIO4y1/

!

no aaa new-model

!

!

ip cef

!

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

--More--                           ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

--More--                           !

!

!

!

archive

log config

  hidekeys

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 5

crypto isakmp key 0zMult1 address 192.168.100.29

!

!

crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer 192.168.100.29

set transform-set esp-aes-sha

match address 101

!

--More--                           !

!

!

!

!

!

interface Tunnel0

ip address 10.31.31.2 255.255.255.252

keepalive 10 3

tunnel source FastEthernet0/1

tunnel destination 192.168.100.29

crypto map vpn

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.7

encapsulation dot1Q 7

ip address 172.17.32.254 255.255.255.0

ip helper-address 172.17.35.1

!

--More--                           interface FastEthernet0/0.8

encapsulation dot1Q 8

ip address 172.17.33.254 255.255.255.0

ip helper-address 172.17.35.1

!

interface FastEthernet0/0.9

encapsulation dot1Q 9

ip address 172.17.34.254 255.255.255.0

ip helper-address 172.17.35.1

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 172.17.35.14 255.255.255.240

!

interface FastEthernet0/1

ip address 192.168.200.30 255.255.255.0

duplex auto

speed auto

crypto map vpn

!

router eigrp 32

passive-interface default

no passive-interface Tunnel0

--More--                            network 10.31.31.0 0.0.0.3

network 172.17.32.0 0.0.0.255

network 172.17.33.0 0.0.0.255

network 172.17.34.0 0.0.0.255

network 172.17.35.0 0.0.0.15

network 172.17.32.0 0.0.31.255

no auto-summary

neighbor 10.31.31.1 Tunnel0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.200.1

!

!

ip http server

no ip http secure-server

!

access-list 101 permit ip 172.17.32.0 0.0.31.255 172.17.0.0 0.0.63.255

!

!

!

!

!

!

--More--                           control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

password 0zMult1

logging synchronous

login

line aux 0

line vty 0 4

password 0zMult1

login

line vty 5 15

password 0zMult1

login

!

--More--                           scheduler allocate 20000 1000

!

end

Ballarat#

0 Helpful

Go to solution
olpeleri
Cisco Employee
Cisco Employee
In response to travis.slessar

‎05-21-2013 04:08 AM

Hello,

1. Crypto maps on tunnel interfaces are not supported. Can you remove that?

2. Your crypto ACL should be permit gre host 192.168.100.29 host 192.168.200.30 [ since you want to protect GRE - so you will select the tunnel source and destination end points]

Cheers,

0 Helpful

Go to solution
travis.slessar
Level 1
Level 1
In response to olpeleri

‎05-21-2013 08:05 PM

So I need to removed the crypto map from the tunnel0 and should create an extended ACL such as:

ip access-list extended VPN-ACL

permit ip 172.17.0.0 0.0.255.255 172.17.0.0 0.0.255.255

permit GRE host 192.168.200.30 host 192.168.100.29

apply that to the crypto map and the mirror it on the other router?

Thanks so much to everyone for their input I have learnt a lot.

Cheers

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to travis.slessar

‎05-22-2013 01:05 AM

You are mixing up two different ways to implement VPNs:

1) pure IPSec:

The ip-packet is routed to the outside interface. A crypto map is applied there with an crypto-acl that specifies the end-to-end communication, for example the traffic from 172.17.0.0/19 to 172.17.32.0/19. The packet gets encapsulated/protected and the resulting IPsec-packet is sent to the other side. No Tunnel-interface or GRE is involved here.

2) The GRE-approach:

The packet gets routed into a configured tunnel-interface (the routing can be done with EIGRP like in your example). The tunnel-destination is reachable through an interface where the crypto-map is applied. This crypto-map only has to act on the GRE-packets, these have to be specified in the crypto-acl. In that case you do not need any end-to-end definition in your crypto acl.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents