Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
3
Replies

Force traffic down the tunnel?

Go to solution
fgleeson
Level 1
Level 1

‎04-15-2008 04:57 AM - edited ‎03-09-2019 08:31 PM

No IPSEC applied anywhere yet.

If you have 2 routers configured back-to-back with physical interfaces and tunnel interfaces - which path will traffic travel over?

Answer - it will follow the path from the routing table i suppose. Be it OSPF or static routes or whatever.

Standard enough.

Now add IPSEC alone.

Now OSPF fails as IPSEC does not support multicast.

Standard enough.

Now, add IPSEC and GRE to the mix. Apply the crypto map to both physical and tunnel interfcaes.

Included here is the common ACL that is associated with GRE. That is :-

access-list 100 permit gre host [source physical address] host [destination physical address]

This is the ACL that is supposed to define what traffic is "interesting" and that needs to be encrypted.

Let's repeat the question - where does the traffic go?

I assume its the same answer. Refer to the routing table.

But what traffic is encrypted? Answer - ONLY the traffic that is destined for the tunnel interface IP's.

If you ping from physical to physical it will be unencrypted.

Question - do you need to force ALL traffic down the tunnel interface in order for it to match the ACL and therefore to get encrypted?

How do we accomplish this????

Discussion and debate would be greatly appreciated.

It

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10

‎04-15-2008 06:07 AM

Only traffic with the source/destination of the tunnel interfaces - you only encapsulate & encrypt what enters/exits the tunnel. If you have two sites connected via a IPSEC VPN, the "interesting" traffic for the VPN is the source/destination on the tunnel interfaces....you need to put LAN traffic into the tunnel interfaces. So you either have static routes, or you run a dynamic routing protocol like OSPF or EIGRP.

You could have a default routing pointing to the firewall, a dynamic routing protocol running - so all "internal" traffic will run over the tunnel=encrypted=vpn to remote site, while all "internet" traffic routes to the firewall and leaves normally.

HTH

View solution in original post

0 Helpful
3 Replies 3

Go to solution
andrew.prince
Level 10
Level 10

‎04-15-2008 06:07 AM

Only traffic with the source/destination of the tunnel interfaces - you only encapsulate & encrypt what enters/exits the tunnel. If you have two sites connected via a IPSEC VPN, the "interesting" traffic for the VPN is the source/destination on the tunnel interfaces....you need to put LAN traffic into the tunnel interfaces. So you either have static routes, or you run a dynamic routing protocol like OSPF or EIGRP.

You could have a default routing pointing to the firewall, a dynamic routing protocol running - so all "internal" traffic will run over the tunnel=encrypted=vpn to remote site, while all "internet" traffic routes to the firewall and leaves normally.

HTH

0 Helpful

Go to solution
fgleeson
Level 1
Level 1
In response to andrew.prince

‎04-15-2008 07:00 AM

Andrew,

Thanks for the reply and it's just the answer i was looking for.

I know it's a basic question, but sometimes it's best to ask the obvious ones.

There is a lot of documentation around setting up IPSEC and GRE, but very little about the obvious of forcing traffic into this tunnel.

Static routes sound about right. I'm away to test in the lad.

Appreciate it.

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to fgleeson

‎04-15-2008 07:19 AM

OK - no problem, glad to help.

0 Helpful
Customers Also Viewed These Support Documents