crypto map + gre question

Unanswered Question
Nov 14th, 2008

Hi

I would like to clarify what it means if I put 0.0.0.0 0.0.0.0 when I apply this command

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

Another question

If I have a GRE over IPsec

access-list 110 permit gre host 14.38.88.20 host 14.36.88.6

using the Ip address of each endpoint will be correct to encrypt all traffic coming/going from my LAN?

I have a site A (14.38.88.20 ) and site B (14.36.88.6) connected over leased line I want to encrypt my data for security reasons. Do I need to declare all my LAN networks on the ACL?

I am not very clear about this

What should I do?

thanks

regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

1. crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

this is a wild card key; often used with DMVPN hub's... it lets anyone in using this key ;)

2. That is correct. What this means is the GRE traffic is the "interesting traffic" the vpn crypto map will encrypt with IPSEC.

You do not need to declare all your networks, in fact that is beauty of GRE/IPSEC vpn. You simply add more routes to the gre tunnel and they all pass inside the source/destination ip listed in the source X and destination Y outside GRE addresses of the tunnel. You can use tunnel VTI config so you dont even have to apply the crypto map to any specifc interface. an example would be as follows -

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

crypto isakmp key thegoodkey address 72.10.196.10 no-xauth

crypto isakmp key thegoodkey address 72.10.22.186 no-xauth

crypto ipsec transform-set default esp-aes esp-sha-hmac

crypto ipsec profile usngprofile

set transform-set default

crypto map usngnyc 100 ipsec-isakmp

set peer 72.10.196.10

set transform-set default

match address usngnyc-usngla

crypto map usngnyc 110 ipsec-isakmp

set peer 72.10.22.186

set transform-set default

match address usngnyc-usngprinceton

!

interface Tunnel24

description IPSEC/GRE tunnel to usng-LA

ip address 172.17.0.26 255.255.255.252

tunnel source 71.90.217.154

tunnel destination 72.10.196.10

tunnel mode ipsec ipv4

tunnel protection ipsec profile usngprofile

!

interface Tunnel28

description IPSEC/GRE tunnel to usng-STAMFORD

ip address 172.17.0.30 255.255.255.252

tunnel source 71.90.217.154

tunnel destination 72.10.22.186

tunnel mode ipsec ipv4

tunnel protection ipsec profile usngprofile

ip access-list extended usngnyc-usngla

permit ip host 71.90.217.154 host 72.10.196.10

ip access-list extended usngnyc-usngstamford

permit ip host 71.90.217.154 host 72.10.22.186

Note: this config allows you to simply use any outbound interface to reach the destination of the tunnel interface that is protected with a tunnel protection of IPSEC.

-Joe

Actions

This Discussion