01-20-2006 03:54 AM - edited 02-21-2020 02:12 PM
Hi There,
I am banging my head a bit here. I want to encrypt all traffic between 2 sites except voice.
On cisco's site it would seem that the "crypto map" command should appear on both the physical (in this case dialer) and on the Tunnel interface. Why is it needed on the Tunnel interface?
I have configured the following:-
!
class-map match-all telnet
match protocol telnet
class-map match-all citrix
match protocol citrix
class-map match-all Telnet
match protocol telnet
class-map match-all voice-signaling
match access-group 151
class-map match-all voice-traffic
match access-group 150
!
!
policy-map VOICE-POLICY
class voice-traffic
priority 96
class voice-signaling
bandwidth 8
class citrix
bandwidth 24
class telnet
class class-default
fair-queue
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
group 2
crypto isakmp key 123456 address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set peter-set esp-des esp-sha-hmac
crypto ipsec transform-set DYNA-3DES esp-3des esp-md5-hmac
!
crypto dynamic-map dynamap 10
set transform-set DYNA-3DES
!
!
crypto map xxxx local-address Dialer1
crypto map xxxxx ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set peter-set
match address vpn
qos pre-classify
crypto map PeterHomemap 40 ipsec-isakmp dynamic dynamap
!
!
!
interface Tunnel1
description Tunnel to Office
bandwidth 256
ip address 10.10.20.2 255.255.255.0
qos pre-classify
keepalive 10 3
tunnel source Dialer1
tunnel destination xxx.xxx.xxx.xxx
!
interface Dialer1
bandwidth 256
ip address negotiated
ip access-group inbound in
ip mtu 1458
ip nat outside
ip inspect myfw out
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
crypto map PeterHomemap
service-policy output VOICE-POLICY
hold-queue 224 in
!
ip access-list extended vpn
deny udp 192.168.9.0 0.0.0.255 192.168.0.0 0.0.255.255 range 16384 32767
deny tcp 192.168.9.0 0.0.0.255 eq 1720 any
deny tcp 192.168.9.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 1720
permit gre host 10.10.20.2 host 10.10.20.1
permit gre host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx
!
access-list 150 remark Match all Voice Traffic
access-list 150 permit udp any any range 16384 37276
access-list 151 remark Match all Voice Signalling
access-list 151 permit tcp any eq 1720 any
access-list 151 permit tcp any any eq 1720
Can anyone suggest a better way of accomplishing encryption of only non-voice traffic, and also if an expert out there can explain the Tunnel interface crypto map thing, that would be great!!
Thanks,
Peter.
Solved! Go to Solution.
01-20-2006 08:08 PM
Let me explain the entire thing in full.
You have one public IP at either site and you form a GRE tunnel to route your private IPs over the GRE tunnel. This traffic includes voice and data. Then create your IPSec policy matching only the traffic to be encryped(u dont know have explicitly deny voice traffic) and apply the crypto map on the tunnel. That should setup the IPSec VPN for you. This is the best way as for as iam concerned(i have done it in quite a few cases as well).
Instead of transporting all traffic thorugh a IPSec VPN and data traffic over a GRE, i feel u can send voice traffic over GRE and encrypt the IPSec traffic over GRE.
Hope this clarifies.
01-20-2006 05:55 AM
hi
We need to have GRE tunnels to pass on non ip traffic as well as to have routing protocols with the locations..
do refer this link where the same kinda scenario is discussed..
http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
regds
01-20-2006 07:12 AM
Hi Peter,
Are you transporting GRE over IPSec or IPSec over GRE ? If it is the first , there is no need to have crypto on the tunnel but your ACL will have to change,
permit gre host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx
Once this line would suffice in the ACL, there is no need for you to deny the Voice traffic. It wudnt get encrypted anyways. Ensure your IPSec traffic is routed through the tunnel. The tunnel in turns encrypted. Voice will be routed to the dialer and not to the tunnel.
If it is the 2nd case (IPSec over GRE), then route voice traffic over the tunnel, apply crypto map on the tunnel only, permit the IPSec traffic in the ACL.
If you can clarify this, it would be helpful
01-20-2006 11:10 AM
Thanks for the reply,
initially I thought I would have to do IPsec over a GRE tunnel (ie all traffic between private networks get encrypted) but I did not consider what you suggested.
Can you perhaps clarify the best way to accomplish being able to tunnel all traffic via GRE but only encrypt (via IPsec) certain types of traffic?
Nothing is in stone here so I can reconfigure completely if needed... thanks again for your suggestions.
01-20-2006 08:08 PM
Let me explain the entire thing in full.
You have one public IP at either site and you form a GRE tunnel to route your private IPs over the GRE tunnel. This traffic includes voice and data. Then create your IPSec policy matching only the traffic to be encryped(u dont know have explicitly deny voice traffic) and apply the crypto map on the tunnel. That should setup the IPSec VPN for you. This is the best way as for as iam concerned(i have done it in quite a few cases as well).
Instead of transporting all traffic thorugh a IPSec VPN and data traffic over a GRE, i feel u can send voice traffic over GRE and encrypt the IPSec traffic over GRE.
Hope this clarifies.
01-28-2006 02:33 PM
Thanks,
that clarifies things a bit. I will try the config and post back if it doesn't work!
Cheers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide