IPSEC GRE - Security Q?

Answered Question
Jul 16th, 2010
User Badges:

Hi


I use this template for IPSEC GRE VPN.

Looking for recommendation to secure the router to avoid other traffic then GRE VPN. All other traffic should be blocked.




======================================================================================

=====================================================================================


crypto isakmp key mtt3rvLBO3jCoV50zoE address 192.168.1.2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

hash sha

!

crypto ipsec transform-set TS esp-des esp-sha-hmac

!

crypto map Knight 10 ipsec-isakmp

set transform-set TS

set peer 192.168.1.2

match address 101

!

crypto ipsec profile IPsecP

set transform-set TS

!

interface Serial0

ip address 192.168.1.1 255.255.255.252

!

access-list 101 permit gre host 192.168.1.1 host 192.168.2.1

!

interface Tunnel0

ip address 10.1.1.1 255.255.255.252

ip mtu 1300

tunnel source Serial0

tunnel destination 192.168.2.1

tunnel protection ipsec profile IP

!

ip route 0.0.0.0 0.0.0.0 Serial0

ip route 10.0.0.0 255.0.0.0 Tunnel0

Correct Answer by Richard Burts about 6 years 10 months ago

ST


Yes you need 2 lines in the access list per remote peer. You need to permit UDP 500 which is ISAKMP and does the negotiation of encryption keys for the IPSec session. And you need to permit ESP which is what carries the encrypted traffic.


As I read my response I see that I have a logical error in the example that I gave. I reversed the source and destination addresses. I said:

access-list 110 permit udp host 192.168.1.1 host 192.168.2.1 eq 500

access-list  110 permit esp host 192.168.1.1 host 192.168.2.1

and it should be:

access-list 110 permit udp host 192.168.2.1 host 192.168.1.1 eq 500

access-list  110 permit esp host 192.168.2.1 host 192.168.1.1


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Sat, 07/17/2010 - 05:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

There are a few inconsistencies in your config that puzzle me.

The crypto key and the crypto map say that your peer is 192.168.1.2, which would be the device connected by your serial interface. But the tunnel destination and access list 101 specify 192.168.2.1. Is that a typo or is that intended?

If you are using the Tunnel Protection Profile then why is there a crypto map in your template?


If you really mean that you want only the GRE VPN traffic to be allowed then I would suggest that you add this to your config:

access-list 110 permit udp host 192.168.1.1 host 192.168.2.1 eq 500

access-list 110 permit esp host 192.168.1.1 host 192.168.2.1

access-list 110 deny ip any any

interface serial0

ip access-group 110 in

This will deny anything that is not GRE VPN.

Are you sure that there is not any management traffic or anything else that you might want to go through the serial interface?


HTH


Rick

saquib.tandel Sat, 07/17/2010 - 06:02
User Badges:

Hi Rick,


Those where typo mistakes.


I would have around 25 IPSEC GRE Tunnels and one management VLAN on the Router.

Routing protocol running on IPSEC GRE tunnels would be OSPF and couple with EIGRP



So I understand from your reply that I need to have two line ACL for each peer.


thanks again.

ST

Correct Answer
Richard Burts Sat, 07/17/2010 - 10:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ST


Yes you need 2 lines in the access list per remote peer. You need to permit UDP 500 which is ISAKMP and does the negotiation of encryption keys for the IPSec session. And you need to permit ESP which is what carries the encrypted traffic.


As I read my response I see that I have a logical error in the example that I gave. I reversed the source and destination addresses. I said:

access-list 110 permit udp host 192.168.1.1 host 192.168.2.1 eq 500

access-list  110 permit esp host 192.168.1.1 host 192.168.2.1

and it should be:

access-list 110 permit udp host 192.168.2.1 host 192.168.1.1 eq 500

access-list  110 permit esp host 192.168.2.1 host 192.168.1.1


HTH


Rick

Actions

This Discussion