Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
5
Helpful
2
Replies

crypto map + gre question

Leonardo Pena Davila
Spotlight
Spotlight

‎11-14-2008 08:50 PM

Hi

I would like to clarify what it means if I put 0.0.0.0 0.0.0.0 when I apply this command

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

Another question

If I have a GRE over IPsec

access-list 110 permit gre host 14.38.88.20 host 14.36.88.6

using the Ip address of each endpoint will be correct to encrypt all traffic coming/going from my LAN?

I have a site A (14.38.88.20 ) and site B (14.36.88.6) connected over leased line I want to encrypt my data for security reasons. Do I need to declare all my LAN networks on the ACL?

I am not very clear about this

What should I do?

thanks

regards

Labels:
0 Helpful
2 Replies 2

joe19366
Level 1
Level 1

‎11-14-2008 09:27 PM

1. crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

this is a wild card key; often used with DMVPN hub's... it lets anyone in using this key ;)

2. That is correct. What this means is the GRE traffic is the "interesting traffic" the vpn crypto map will encrypt with IPSEC.

You do not need to declare all your networks, in fact that is beauty of GRE/IPSEC vpn. You simply add more routes to the gre tunnel and they all pass inside the source/destination ip listed in the source X and destination Y outside GRE addresses of the tunnel. You can use tunnel VTI config so you dont even have to apply the crypto map to any specifc interface. an example would be as follows -

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

crypto isakmp key thegoodkey address 72.10.196.10 no-xauth

crypto isakmp key thegoodkey address 72.10.22.186 no-xauth

crypto ipsec transform-set default esp-aes esp-sha-hmac

crypto ipsec profile usngprofile

set transform-set default

crypto map usngnyc 100 ipsec-isakmp

set peer 72.10.196.10

set transform-set default

match address usngnyc-usngla

crypto map usngnyc 110 ipsec-isakmp

set peer 72.10.22.186

set transform-set default

match address usngnyc-usngprinceton

!

interface Tunnel24

description IPSEC/GRE tunnel to usng-LA

ip address 172.17.0.26 255.255.255.252

tunnel source 71.90.217.154

tunnel destination 72.10.196.10

tunnel mode ipsec ipv4

tunnel protection ipsec profile usngprofile

!

interface Tunnel28

description IPSEC/GRE tunnel to usng-STAMFORD

ip address 172.17.0.30 255.255.255.252

tunnel source 71.90.217.154

tunnel destination 72.10.22.186

tunnel mode ipsec ipv4

tunnel protection ipsec profile usngprofile

ip access-list extended usngnyc-usngla

permit ip host 71.90.217.154 host 72.10.196.10

ip access-list extended usngnyc-usngstamford

permit ip host 71.90.217.154 host 72.10.22.186

Note: this config allows you to simply use any outbound interface to reach the destination of the tunnel interface that is protected with a tunnel protection of IPSEC.

-Joe

Leonardo Pena Davila
Spotlight
Spotlight
In response to joe19366

‎11-15-2008 08:17 PM

Hi Joe,

Thanks a lot for your time and explanation. It was very helpfull

Regards

0 Helpful
Customers Also Viewed These Support Documents