06-03-2010 08:13 PM
How do I secure this scenerio?
1) Site A has a 2821 router and a IP connection to site C's 2821 across another organizations IP network.
2) Site B has a 2821 router with an MPLS connection to site C's 2821.
This is easy enough to connect and get working clear text connections and GRE tunnels, but I'm leaving my network open to other other organization nor to the MPLS service provider.
I'm thinking some flavor of encryption between the routers with GRE tunnels for routing the actual traffic.
Thank you in advance for any recommendations and config examples.
Solved! Go to Solution.
06-04-2010 04:41 AM
Hi Tod,
you can deploy a separate acl on the physical interface, which allows only the tunnel itself (udp/500 and esp). The acl on the VTI would control the traffic through the tunnel.
Rgds,
MiKa
06-04-2010 01:15 AM
Hi Tod,
if you already operate GRE tunnels you can simply turn them into "VTI" interfaces.
A VTI (virtual tunnel interface) is similar to GRE but it uses IPsec direct instead of GRE to encapsulate the packets.
Here is a sample:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key [ike-key] address [address-of-other-router] 255.255.255.255
crypto isakmp keepalive 10
interface Tunnel0
ip address 192.168.10.2 255.255.255.0
tunnel source 10.0.149.220
tunnel destination 10.0.149.221
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
taken from
I wish you success with the encrypted tunnel
MiKa
06-04-2010 04:20 AM
A VTI sounds like most of my answer, thanks.
Does a VTI protect against intrustions into the physical interface? I guess I'm wondering about how to configure the physical interface to allow only the tunnel and drop everything else (ssh, telnet, ping, etc). I'm expecting some sort of access list or something as well.
06-04-2010 04:41 AM
Hi Tod,
you can deploy a separate acl on the physical interface, which allows only the tunnel itself (udp/500 and esp). The acl on the VTI would control the traffic through the tunnel.
Rgds,
MiKa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide