GRE+IPSEC

Unanswered Question
Sep 9th, 2007
User Badges:

THIS IS MY NETWORK:


HTTP SERVER -10.10.X.X:8080

|

|

GATEWAY-FIREWALL-1811

|

192.168.251.X

|

1811-ROUTER1

X.X.X.X/ TUNNEL 192.168.200.1/30

|

GRE+IPSEC

|

Y.Y.Y.Y/TUNNEL 192.168.200.2/30

1711-ROUTER2

|

|

192.168.190.X/24



GATEWAY-FIREWALL-1811

version 12.4

!

interface FastEthernet0

ip address 10.10.X.X 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address 192.168.251.1 255.255.255.0

ip access-group WEBSERVER in

ip virtual-reassembly

duplex auto

speed auto

!

!


ip route 192.168.190.0 255.255.255.0 192.168.251.2

ip route 192.168.200.0 255.255.255.252 192.168.251.2

ip route X.X.X.X 255.255.255.252 192.168.251.2

!

!

ip access-list extended WEBSERVER

permit tcp any host 10.10.X.X eq 8080

permit icmp any any

permit tcp any any eq 22

permit tcp any eq 22 any

deny ip any any



1811-ROUTER1

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname VPN

!

!

crypto isakmp policy 10

encr 3des

hash md5

group 2

crypto isakmp identity dn

!

!

crypto ipsec transform-set PROBA esp-3des esp-md5-hmac

mode transport

!

crypto map VPN-TUNNEL 10 ipsec-isakmp

set peer Y.Y.Y.Y

set transform-set PROBA

match address 140

!

!

interface Tunnel1

ip address 192.168.200.1 255.255.255.252

ip mtu 1420

ip virtual-reassembly

ip tcp adjust-mss 1436

tunnel source FastEthernet1

tunnel destination Y.Y.Y.Y

crypto map VPN-TUNNEL

!

interface FastEthernet0

ip address 192.168.251.2 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address X.X.X.X 255.255.255.252

ip access-group FROM_INTERNET in

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN-TUNNEL

!

ip route 0.0.0.0 0.0.0.0 X.X.X.X

ip route 10.30.X.X 255.255.255.0 192.168.251.1

ip route 192.168.190.0 255.255.255.0 Tunnel1

!

!

ip access-list extended FROM_INTERNET

permit icmp any any

permit gre host Y.Y.Y.Y host X.X.X.X

permit esp host Y.Y.Y.Y host X.X.X.X

permit udp host Y.Y.Y.Y eq isakmp host X.X.X.X

deny ip any any

!

access-list 140 permit gre host X.X.X.X host Y.Y.Y.Y

access-list 140 permit ip 10.30.X.X 0.0.0.255 192.168.190.0 0.0.0.255

no cdp run

!



1711-ROUTER2

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname OFFICE


no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.190.1

!

ip dhcp pool sdm-pool

import all

network 192.168.190.0 255.255.255.0

default-router 192.168.190.1

lease 0 2

!

!

ip cef


crypto isakmp policy 10

encr 3des

hash md5

group 2

crypto isakmp identity dn

!

!

crypto ipsec transform-set PROBA esp-3des esp-md5-hmac

mode transport

!

crypto map VPN-TUNNEL 10 ipsec-isakmp

set peer X.X.X.X

set transform-set PROBA

match address 140

!

!

!

interface Tunnel1

ip address 192.168.200.2 255.255.255.252

ip mtu 1420

ip tcp adjust-mss 1436

tunnel source FastEthernet0

tunnel destination X.X.X.X

crypto map VPN-TUNNEL

!

interface FastEthernet0

ip address Y.Y.Y.Y 255.255.255.0

ip access-group 130 in

duplex auto

speed auto

no cdp enable

crypto map VPN-TUNNEL

!

interface Vlan1

description $OFFICE-LAN$

ip address 192.168.190.1 255.255.255.0

ip tcp adjust-mss 1452

!

!

ip route 0.0.0.0 0.0.0.0 Y.Y.Y.Y

ip route 10.30.X.X 255.255.255.0 Tunnel1

ip route 192.168.251.0 255.255.255.0 Tunnel1

!

!

!

access-list 130 permit gre host X.X.X.X host Y.Y.Y.Y

access-list 130 permit esp host X.X.X.X host Y.Y.Y.Y

access-list 130 permit udp host X.X.X.X eq isakmp host Y.Y.Y.Y


access-list 140 permit gre host Y.Y.Y.Y host X.X.X.X

access-list 140 permit ip 192.168.190.0 0.0.0.255 10.30.X.X 0.0.0.255

no cdp run

!


I WOUGHT LIKE CRYPT ALL TRAFFIC BETWEEN NET 10.30.X.X AND 192.168.190.0, IS THIS POSSIBLE WITH ACCESS-LIST 140 ON THIS EXAMPLE OR NOT.

IS A ANSWER IS NO HELP ME TO CONFIGURE ROUTERS TO CRYPT ALL TRAFFIC BETWEEN 10.30.X.X. 192.168.190.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vaba Mon, 09/10/2007 - 02:22
User Badges:

can i use on same route"1811-ROUTER1" this all commands:


crypto ipsec profile vpn

set transform-set PPOBA


on interface tunnel1

tunnel protection ipsec profile vpn


crypto map VPN-TUNNEL 10 ipsec-isakmp

set peer X.X.X.X

set transform-set PPOBA

match address 140


on interface Fastethernet1

crypto map VPN-TUNNEL


and

access-list 140 permit gre host Y.Y.Y.Y host X.X.X.X

access-list 140 permit ip 192.168.190.0 0.0.0.255 10.30.X.X 0.0.0.255


Is necessity to use "crypto isakmp profile".


Thanks advance.

Please post any example or any link.


a.alekseev Mon, 09/10/2007 - 02:44
User Badges:
  • Gold, 750 points or more

should be something like this

!

crypto isakmp policy 10

encr 3des

hash md5

group 2

no crypto isakmp identity dn

!

!

crypto ipsec transform-set PROBA esp-3des esp-md5-hmac

mode transport

!

NO crypto map VPN-TUNNEL 10 ipsec-isakmp

crypto ipsec profile vpn

set transform-set PPOBA

!

!

interface Tunnel1

ip address 192.168.200.1 255.255.255.252

ip mtu 1420

ip virtual-reassembly

ip tcp adjust-mss 1380

tunnel source FastEthernet1

tunnel destination Y.Y.Y.Y

no crypto map VPN-TUNNEL

tunnel protection ipsec profile vpn

!

interface FastEthernet0

ip address 192.168.251.2 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address X.X.X.X 255.255.255.252

ip access-group FROM_INTERNET in

ip virtual-reassembly

duplex auto

speed auto

no crypto map VPN-TUNNEL

!

!

ip access-list extended FROM_INTERNET

permit icmp any any

permit gre host Y.Y.Y.Y host X.X.X.X

permit esp host Y.Y.Y.Y host X.X.X.X

permit udp host Y.Y.Y.Y host X.X.X.X eq 500

permit udp host Y.Y.Y.Y host X.X.X.X eq 4500

Actions

This Discussion