Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DMVPN GRE ACCESS LIST

Hi, Guys

Would you please help me with this case?

When configuring spoke-to-spoke DMVPN with multiple hubs (GRE IPSEC EIGRP) what traffic should be permitted on the outside physical interface on a spoke router?

!

ip access-list еxtended CRYPTO-ONLY

permit esp [IPSEC Reomote Peers] [IPSEC Local Peer]

permit udp [IPSEC Reomote Peers] [IPSEC Local Peer] eq isakmp

permit gre [IPSEC Reomote Peers] [IPSEC Local Peer]

!

interface FastEthernet

ip access-group CRYPTO-ONLY in

!

If I remove the last line from the access-list, where "GRE" is permitted, the router never builds EIGRP neighbor relationships. Should this line be present? If yes, does any unencrypted GRE traffic is going out?

Thanks in advance,

Mladen

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: DMVPN GRE ACCESS LIST

Hi Mladen,

The access list bound to outside interface is checked twice i.e before and after the decryption . That is why you need to permit the unencrypted gre packets also.

HTH

Saju

pls rate helpful posts

4 REPLIES
Silver

Re: DMVPN GRE ACCESS LIST

Hi Mladen,

The access list bound to outside interface is checked twice i.e before and after the decryption . That is why you need to permit the unencrypted gre packets also.

HTH

Saju

pls rate helpful posts

New Member

Re: DMVPN GRE ACCESS LIST

Thanks for the response.

It is strange that the ACL is checked twice. I thought that the traffic is encrypted on the tunnel interface (where the ipsec profile is applied) and then passed to the outside interface.

Regards,

Mladen

Silver

Re: DMVPN GRE ACCESS LIST

This checking of access list is for IOS before version 12.3(8)T.The Crypto Access Check on Clear-Text Packets feature removes the need to permit Ipsec traffic to be specified explicitly in the access list .

"

Before Cisco IOS version 12.3(8)T, packets received on an interface with an inbound ACL and a crypto map were checked by the inbound ACL twice, before decryption, and as clear-text, following decryption. The Crypto Access Check on Clear-Text Packets feature removes the checking of clear-text packets that go through the IPsec tunnel just before encryption or just after decryption."

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Dir_Encap.html#wp80710

New Member

Re: DMVPN GRE ACCESS LIST

Hi,

Again, thanks for the response.

I am testing on IOS 12.4T.

Still, as far as I understand, with the "Crypto Access Check on Clear-Text Packets" applied, the GRE row in the ACL should not be necessary?

Thanks in advance,

Mladen

1914
Views
4
Helpful
4
Replies
CreatePlease to create content