Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

Tunneling security

We've asked a company to setup a secure connection ( VPN ) between some of our branch offices and the HQ . The VPN should have used the Internet as "carrier" .

Looking at the configurations made by the company we found that the connectivity has been set up with a simple tunneling without any security protocol implemented ( as IPSEC ) .

Following an extract from one branch's router configuration.

Interface ETH0

ip address 70.x.x.x 255.255.255.248 secondary

ip address 192.168.0.254 255.255.255.0

ip nat inside

interface tunnel1

description TO HQ

ip unnumbered eth0

tunnel source 194.x.x.1

tunnel destination 71.x.x.x1

int atm0

no ip address

int atm0.1

ip address 194.x.x.1 255.255.255.252

ip nat outside

.........

.........

ip route 10.0.0.0 255.0.0.0 tunnel1

I'd like to know if this could pose any security risks

TIA

3 REPLIES
Bronze

Re: Tunneling security

Looks like there using GRE (Generic Routing Encapsulation). If I understand correctly GRE is used to tunnel multiple routing protocols between two private networks. IPSec then has to be added to the GRE tunnel to encrypt the traffic. GRE does not provide authentication or encryption like IPsec does.

Hope this helps

New Member

Re: Tunneling security

Hi,

is the config you posted really the whole config you have on your router? Whats about access-lists?

From what you posted I must say your Tunnel is not secure at all because there no encryption of your tunneled traffic. Anybody who is able to sniffer your traffic or to do a "man in the middle" attack can read your tunnel traffic and you even don't know that he is doing it. If you have no access-list and no cbac you won't defend against any DoS. The only security you have is the nat translation. But if a nat entry is made, anyone can use it from outside.

Hope, you can sleep well at night.

Norbert

Cisco Employee

Re: Tunneling security

the config had some access list as well but all set in "out" on the WAN and eth interfaces ( not IN ) . I can post them if you think they might be useful.

For what encryption is concerned , there's no encryption enabled on the tunnel interface . At least on the router configuration I had access to . That's what puzzled me more when I've been asked to supervise the configuration made by others .

85
Views
0
Helpful
3
Replies
CreatePlease to create content