11-14-2008 08:50 PM
Hi
I would like to clarify what it means if I put 0.0.0.0 0.0.0.0 when I apply this command
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
Another question
If I have a GRE over IPsec
access-list 110 permit gre host 14.38.88.20 host 14.36.88.6
using the Ip address of each endpoint will be correct to encrypt all traffic coming/going from my LAN?
I have a site A (14.38.88.20 ) and site B (14.36.88.6) connected over leased line I want to encrypt my data for security reasons. Do I need to declare all my LAN networks on the ACL?
I am not very clear about this
What should I do?
thanks
regards
11-14-2008 09:27 PM
1. crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
this is a wild card key; often used with DMVPN hub's... it lets anyone in using this key ;)
2. That is correct. What this means is the GRE traffic is the "interesting traffic" the vpn crypto map will encrypt with IPSEC.
You do not need to declare all your networks, in fact that is beauty of GRE/IPSEC vpn. You simply add more routes to the gre tunnel and they all pass inside the source/destination ip listed in the source X and destination Y outside GRE addresses of the tunnel. You can use tunnel VTI config so you dont even have to apply the crypto map to any specifc interface. an example would be as follows -
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key thegoodkey address 72.10.196.10 no-xauth
crypto isakmp key thegoodkey address 72.10.22.186 no-xauth
crypto ipsec transform-set default esp-aes esp-sha-hmac
crypto ipsec profile usngprofile
set transform-set default
crypto map usngnyc 100 ipsec-isakmp
set peer 72.10.196.10
set transform-set default
match address usngnyc-usngla
crypto map usngnyc 110 ipsec-isakmp
set peer 72.10.22.186
set transform-set default
match address usngnyc-usngprinceton
!
interface Tunnel24
description IPSEC/GRE tunnel to usng-LA
ip address 172.17.0.26 255.255.255.252
tunnel source 71.90.217.154
tunnel destination 72.10.196.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile usngprofile
!
interface Tunnel28
description IPSEC/GRE tunnel to usng-STAMFORD
ip address 172.17.0.30 255.255.255.252
tunnel source 71.90.217.154
tunnel destination 72.10.22.186
tunnel mode ipsec ipv4
tunnel protection ipsec profile usngprofile
ip access-list extended usngnyc-usngla
permit ip host 71.90.217.154 host 72.10.196.10
ip access-list extended usngnyc-usngstamford
permit ip host 71.90.217.154 host 72.10.22.186
Note: this config allows you to simply use any outbound interface to reach the destination of the tunnel interface that is protected with a tunnel protection of IPSEC.
-Joe
11-15-2008 08:17 PM
Hi Joe,
Thanks a lot for your time and explanation. It was very helpfull
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide