DMVPN GRE ACCESS LIST

Answered Question
Sep 29th, 2008
User Badges:

Hi, Guys


Would you please help me with this case?


When configuring spoke-to-spoke DMVPN with multiple hubs (GRE IPSEC EIGRP) what traffic should be permitted on the outside physical interface on a spoke router?


!

ip access-list еxtended CRYPTO-ONLY

permit esp [IPSEC Reomote Peers] [IPSEC Local Peer]

permit udp [IPSEC Reomote Peers] [IPSEC Local Peer] eq isakmp

permit gre [IPSEC Reomote Peers] [IPSEC Local Peer]

!

interface FastEthernet

ip access-group CRYPTO-ONLY in

!


If I remove the last line from the access-list, where "GRE" is permitted, the router never builds EIGRP neighbor relationships. Should this line be present? If yes, does any unencrypted GRE traffic is going out?


Thanks in advance,


Mladen

Correct Answer by singhsaju about 8 years 8 months ago

Hi Mladen,

The access list bound to outside interface is checked twice i.e before and after the decryption . That is why you need to permit the unencrypted gre packets also.


HTH

Saju

pls rate helpful posts


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
singhsaju Mon, 09/29/2008 - 10:34
User Badges:
  • Silver, 250 points or more

Hi Mladen,

The access list bound to outside interface is checked twice i.e before and after the decryption . That is why you need to permit the unencrypted gre packets also.


HTH

Saju

pls rate helpful posts


mladentsvetkov Mon, 09/29/2008 - 10:37
User Badges:

Thanks for the response.


It is strange that the ACL is checked twice. I thought that the traffic is encrypted on the tunnel interface (where the ipsec profile is applied) and then passed to the outside interface.


Regards,


Mladen

singhsaju Mon, 09/29/2008 - 10:51
User Badges:
  • Silver, 250 points or more

This checking of access list is for IOS before version 12.3(8)T.The Crypto Access Check on Clear-Text Packets feature removes the need to permit Ipsec traffic to be specified explicitly in the access list .

"

Before Cisco IOS version 12.3(8)T, packets received on an interface with an inbound ACL and a crypto map were checked by the inbound ACL twice, before decryption, and as clear-text, following decryption. The Crypto Access Check on Clear-Text Packets feature removes the checking of clear-text packets that go through the IPsec tunnel just before encryption or just after decryption."


http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Dir_Encap.html#wp80710

mladentsvetkov Mon, 09/29/2008 - 23:22
User Badges:

Hi,


Again, thanks for the response.


I am testing on IOS 12.4T.


Still, as far as I understand, with the "Crypto Access Check on Clear-Text Packets" applied, the GRE row in the ACL should not be necessary?


Thanks in advance,


Mladen


Actions

This Discussion