Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
0
Helpful
1
Replies

Why does this work?

Cabalagent1
Community Member

‎02-04-2012 12:50 AM

I've been practicing some IPSec VPN scenarios, starting with the typical site-to-site VPN:

Router A

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set myset

match address 101

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

Router B

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set myset

match address 101

access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

This works as expected. Traffic from 10.1.1.x on Router A gets picked up by the crypto map and sent to RouterB and vice versa. What is confusing me is a more advanced scenario where I'm tunnelling GRE over IPSec with OSPF (why? Because I can).

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Everything works just fine, but I'm bothered by the ACLs being used in the example. I don't see how everthing should be working- OSPF is fat and happy, and if I ping one spoke from another spoke from a loopback interface, it works as well. In this case, is the network traffic being picked up by the Tunnel interface first, and all the crypto map sees is GRE traffic by the time the packets make it that far?

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎02-04-2012 07:43 PM

Ian

You ask a question about the access lists and I believe that it will be easier to answer the question if we have the access lists to refer to. So here they are:

7206:access-list 130 permit gre host 14.36.88.6 host 14.38.88.40access-list 140 permit gre host 14.36.88.6 host 14.38.88.20access-list 150 permit gre host 14.36.88.6 host 14.38.88.102610:access-list 120 permit gre host 14.38.88.10 host 14.36.88.63620:access-list 110 permit gre host 14.38.88.20 host 14.36.88.6

 3640:
access-list 100 permit gre host 14.38.88.40 host 14.36.88.6


 
one of the first things to understand here (and you briefly mention it in your post) is that they are running OSPF dynamic routing protocol over the tunnels. So each router sees the path to get to the other router as being through the tunnel. So when the 2610 wants to get to the 7206 it will send that traffic to the tunnel interface. The tunnel interface will encapsulate the original packet in a GRE header. So yes the only thing that the access list will see is GRE traffic.

Anything that goes through the tunnel (whether it be a data packet or an OSPF routing update) is encapsulated in a GRE header and the access list does not see the original data but sees only GRE.

HTH

Rick
HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents