Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3708
Views
4
Helpful
4
Replies

DMVPN GRE ACCESS LIST

Go to solution
mladentsvetkov
Level 1
Level 1

‎09-29-2008 10:00 AM - edited ‎02-20-2020 09:41 PM

Hi, Guys

Would you please help me with this case?

When configuring spoke-to-spoke DMVPN with multiple hubs (GRE IPSEC EIGRP) what traffic should be permitted on the outside physical interface on a spoke router?

!

ip access-list еxtended CRYPTO-ONLY

permit esp [IPSEC Reomote Peers] [IPSEC Local Peer]

permit udp [IPSEC Reomote Peers] [IPSEC Local Peer] eq isakmp

permit gre [IPSEC Reomote Peers] [IPSEC Local Peer]

!

interface FastEthernet

ip access-group CRYPTO-ONLY in

!

If I remove the last line from the access-list, where "GRE" is permitted, the router never builds EIGRP neighbor relationships. Should this line be present? If yes, does any unencrypted GRE traffic is going out?

Thanks in advance,

Mladen

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
singhsaju
Level 4
Level 4

‎09-29-2008 10:34 AM

Hi Mladen,

The access list bound to outside interface is checked twice i.e before and after the decryption . That is why you need to permit the unencrypted gre packets also.

HTH

Saju

pls rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
singhsaju
Level 4
Level 4

‎09-29-2008 10:34 AM

Hi Mladen,

The access list bound to outside interface is checked twice i.e before and after the decryption . That is why you need to permit the unencrypted gre packets also.

HTH

Saju

pls rate helpful posts

0 Helpful

Go to solution
mladentsvetkov
Level 1
Level 1
In response to singhsaju

‎09-29-2008 10:37 AM

Thanks for the response.

It is strange that the ACL is checked twice. I thought that the traffic is encrypted on the tunnel interface (where the ipsec profile is applied) and then passed to the outside interface.

Regards,

Mladen

0 Helpful

Go to solution
singhsaju
Level 4
Level 4
In response to mladentsvetkov

‎09-29-2008 10:51 AM

This checking of access list is for IOS before version 12.3(8)T.The Crypto Access Check on Clear-Text Packets feature removes the need to permit Ipsec traffic to be specified explicitly in the access list .

"

Before Cisco IOS version 12.3(8)T, packets received on an interface with an inbound ACL and a crypto map were checked by the inbound ACL twice, before decryption, and as clear-text, following decryption. The Crypto Access Check on Clear-Text Packets feature removes the checking of clear-text packets that go through the IPsec tunnel just before encryption or just after decryption."

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Dir_Encap.html#wp80710

Go to solution
mladentsvetkov
Level 1
Level 1
In response to singhsaju

‎09-29-2008 11:22 PM

Hi,

Again, thanks for the response.

I am testing on IOS 12.4T.

Still, as far as I understand, with the "Crypto Access Check on Clear-Text Packets" applied, the GRE row in the ACL should not be necessary?

Thanks in advance,

Mladen

0 Helpful
Customers Also Viewed These Support Documents