Solved: GRE + IPSEC but don't encypt certain traffic?

peter.rowe · ‎01-20-2006

Hi There,

I am banging my head a bit here. I want to encrypt all traffic between 2 sites except voice.

On cisco's site it would seem that the "crypto map" command should appear on both the physical (in this case dialer) and on the Tunnel interface. Why is it needed on the Tunnel interface?

I have configured the following:-

!

class-map match-all telnet

match protocol telnet

class-map match-all citrix

match protocol citrix

class-map match-all Telnet

match protocol telnet

class-map match-all voice-signaling

match access-group 151

class-map match-all voice-traffic

match access-group 150

!

policy-map VOICE-POLICY

class voice-traffic

priority 96

class voice-signaling

bandwidth 8

class citrix

bandwidth 24

class telnet

class class-default

fair-queue

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

authentication pre-share

group 2

crypto isakmp key 123456 address xxx.xxx.xxx.xxx

!

crypto ipsec transform-set peter-set esp-des esp-sha-hmac

crypto ipsec transform-set DYNA-3DES esp-3des esp-md5-hmac

!

crypto dynamic-map dynamap 10

set transform-set DYNA-3DES

!

crypto map xxxx local-address Dialer1

crypto map xxxxx ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set peter-set

match address vpn

qos pre-classify

crypto map PeterHomemap 40 ipsec-isakmp dynamic dynamap

!

interface Tunnel1

description Tunnel to Office

bandwidth 256

ip address 10.10.20.2 255.255.255.0

qos pre-classify

keepalive 10 3

tunnel source Dialer1

tunnel destination xxx.xxx.xxx.xxx

!

interface Dialer1

bandwidth 256

ip address negotiated

ip access-group inbound in

ip mtu 1458

ip nat outside

ip inspect myfw out

encapsulation ppp

load-interval 30

dialer pool 1

dialer-group 1

crypto map PeterHomemap

service-policy output VOICE-POLICY

hold-queue 224 in

!

ip access-list extended vpn

deny udp 192.168.9.0 0.0.0.255 192.168.0.0 0.0.255.255 range 16384 32767

deny tcp 192.168.9.0 0.0.0.255 eq 1720 any

deny tcp 192.168.9.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 1720

permit gre host 10.10.20.2 host 10.10.20.1

permit gre host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx

!

access-list 150 remark Match all Voice Traffic

access-list 150 permit udp any any range 16384 37276

access-list 151 remark Match all Voice Signalling

access-list 151 permit tcp any eq 1720 any

access-list 151 permit tcp any any eq 1720

Can anyone suggest a better way of accomplishing encryption of only non-voice traffic, and also if an expert out there can explain the Tunnel interface crypto map thing, that would be great!!

Thanks,

Peter.

attrgautam · ‎01-20-2006

Let me explain the entire thing in full.

You have one public IP at either site and you form a GRE tunnel to route your private IPs over the GRE tunnel. This traffic includes voice and data. Then create your IPSec policy matching only the traffic to be encryped(u dont know have explicitly deny voice traffic) and apply the crypto map on the tunnel. That should setup the IPSec VPN for you. This is the best way as for as iam concerned(i have done it in quite a few cases as well).

Instead of transporting all traffic thorugh a IPSec VPN and data traffic over a GRE, i feel u can send voice traffic over GRE and encrypt the IPSec traffic over GRE.

Hope this clarifies.

View solution in original post

spremkumar · ‎01-20-2006

hi

We need to have GRE tunnels to pass on non ip traffic as well as to have routing protocols with the locations..

do refer this link where the same kinda scenario is discussed..

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

regds

attrgautam · ‎01-20-2006

Hi Peter,

Are you transporting GRE over IPSec or IPSec over GRE ? If it is the first , there is no need to have crypto on the tunnel but your ACL will have to change,

permit gre host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx

Once this line would suffice in the ACL, there is no need for you to deny the Voice traffic. It wudnt get encrypted anyways. Ensure your IPSec traffic is routed through the tunnel. The tunnel in turns encrypted. Voice will be routed to the dialer and not to the tunnel.

If it is the 2nd case (IPSec over GRE), then route voice traffic over the tunnel, apply crypto map on the tunnel only, permit the IPSec traffic in the ACL.

If you can clarify this, it would be helpful

peter.rowe · ‎01-20-2006

Thanks for the reply,

initially I thought I would have to do IPsec over a GRE tunnel (ie all traffic between private networks get encrypted) but I did not consider what you suggested.

Can you perhaps clarify the best way to accomplish being able to tunnel all traffic via GRE but only encrypt (via IPsec) certain types of traffic?

Nothing is in stone here so I can reconfigure completely if needed... thanks again for your suggestions.

attrgautam · ‎01-20-2006

Let me explain the entire thing in full.

You have one public IP at either site and you form a GRE tunnel to route your private IPs over the GRE tunnel. This traffic includes voice and data. Then create your IPSec policy matching only the traffic to be encryped(u dont know have explicitly deny voice traffic) and apply the crypto map on the tunnel. That should setup the IPSec VPN for you. This is the best way as for as iam concerned(i have done it in quite a few cases as well).

Instead of transporting all traffic thorugh a IPSec VPN and data traffic over a GRE, i feel u can send voice traffic over GRE and encrypt the IPSec traffic over GRE.

Hope this clarifies.

peter.rowe · ‎01-28-2006

Thanks,

that clarifies things a bit. I will try the config and post back if it doesn't work!

Cheers.