Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Force traffic down the tunnel?

No IPSEC applied anywhere yet.

If you have 2 routers configured back-to-back with physical interfaces and tunnel interfaces - which path will traffic travel over?

Answer - it will follow the path from the routing table i suppose. Be it OSPF or static routes or whatever.

Standard enough.

Now add IPSEC alone.

Now OSPF fails as IPSEC does not support multicast.

Standard enough.

Now, add IPSEC and GRE to the mix. Apply the crypto map to both physical and tunnel interfcaes.

Included here is the common ACL that is associated with GRE. That is :-

access-list 100 permit gre host [source physical address] host [destination physical address]

This is the ACL that is supposed to define what traffic is "interesting" and that needs to be encrypted.

Let's repeat the question - where does the traffic go?

I assume its the same answer. Refer to the routing table.

But what traffic is encrypted? Answer - ONLY the traffic that is destined for the tunnel interface IP's.

If you ping from physical to physical it will be unencrypted.

Question - do you need to force ALL traffic down the tunnel interface in order for it to match the ACL and therefore to get encrypted?

How do we accomplish this????

Discussion and debate would be greatly appreciated.

It

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Force traffic down the tunnel?

Only traffic with the source/destination of the tunnel interfaces - you only encapsulate & encrypt what enters/exits the tunnel. If you have two sites connected via a IPSEC VPN, the "interesting" traffic for the VPN is the source/destination on the tunnel interfaces....you need to put LAN traffic into the tunnel interfaces. So you either have static routes, or you run a dynamic routing protocol like OSPF or EIGRP.

You could have a default routing pointing to the firewall, a dynamic routing protocol running - so all "internal" traffic will run over the tunnel=encrypted=vpn to remote site, while all "internet" traffic routes to the firewall and leaves normally.

HTH

3 REPLIES

Re: Force traffic down the tunnel?

Only traffic with the source/destination of the tunnel interfaces - you only encapsulate & encrypt what enters/exits the tunnel. If you have two sites connected via a IPSEC VPN, the "interesting" traffic for the VPN is the source/destination on the tunnel interfaces....you need to put LAN traffic into the tunnel interfaces. So you either have static routes, or you run a dynamic routing protocol like OSPF or EIGRP.

You could have a default routing pointing to the firewall, a dynamic routing protocol running - so all "internal" traffic will run over the tunnel=encrypted=vpn to remote site, while all "internet" traffic routes to the firewall and leaves normally.

HTH

New Member

Re: Force traffic down the tunnel?

Andrew,

Thanks for the reply and it's just the answer i was looking for.

I know it's a basic question, but sometimes it's best to ask the obvious ones.

There is a lot of documentation around setting up IPSEC and GRE, but very little about the obvious of forcing traffic into this tunnel.

Static routes sound about right. I'm away to test in the lad.

Appreciate it.

Re: Force traffic down the tunnel?

OK - no problem, glad to help.

456
Views
0
Helpful
3
Replies
CreatePlease to create content