09-29-2008 10:00 AM - edited 02-20-2020 09:41 PM
Hi, Guys
Would you please help me with this case?
When configuring spoke-to-spoke DMVPN with multiple hubs (GRE IPSEC EIGRP) what traffic should be permitted on the outside physical interface on a spoke router?
!
ip access-list еxtended CRYPTO-ONLY
permit esp [IPSEC Reomote Peers] [IPSEC Local Peer]
permit udp [IPSEC Reomote Peers] [IPSEC Local Peer] eq isakmp
permit gre [IPSEC Reomote Peers] [IPSEC Local Peer]
!
interface FastEthernet
ip access-group CRYPTO-ONLY in
!
If I remove the last line from the access-list, where "GRE" is permitted, the router never builds EIGRP neighbor relationships. Should this line be present? If yes, does any unencrypted GRE traffic is going out?
Thanks in advance,
Mladen
Solved! Go to Solution.
09-29-2008 10:34 AM
Hi Mladen,
The access list bound to outside interface is checked twice i.e before and after the decryption . That is why you need to permit the unencrypted gre packets also.
HTH
Saju
pls rate helpful posts
09-29-2008 10:34 AM
Hi Mladen,
The access list bound to outside interface is checked twice i.e before and after the decryption . That is why you need to permit the unencrypted gre packets also.
HTH
Saju
pls rate helpful posts
09-29-2008 10:37 AM
Thanks for the response.
It is strange that the ACL is checked twice. I thought that the traffic is encrypted on the tunnel interface (where the ipsec profile is applied) and then passed to the outside interface.
Regards,
Mladen
09-29-2008 10:51 AM
This checking of access list is for IOS before version 12.3(8)T.The Crypto Access Check on Clear-Text Packets feature removes the need to permit Ipsec traffic to be specified explicitly in the access list .
"
Before Cisco IOS version 12.3(8)T, packets received on an interface with an inbound ACL and a crypto map were checked by the inbound ACL twice, before decryption, and as clear-text, following decryption. The Crypto Access Check on Clear-Text Packets feature removes the checking of clear-text packets that go through the IPsec tunnel just before encryption or just after decryption."
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Dir_Encap.html#wp80710
09-29-2008 11:22 PM
Hi,
Again, thanks for the response.
I am testing on IOS 12.4T.
Still, as far as I understand, with the "Crypto Access Check on Clear-Text Packets" applied, the GRE row in the ACL should not be necessary?
Thanks in advance,
Mladen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide