Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Why does this work?

I've been practicing some IPSec VPN scenarios, starting with the typical site-to-site VPN:

Router A

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set myset

match address 101

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

Router B

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set myset

match address 101

access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

This works as expected. Traffic from 10.1.1.x on Router A gets picked up by the crypto map and sent to RouterB and vice versa. What is confusing me is a more advanced scenario where I'm tunnelling GRE over IPSec with OSPF (why? Because I can).

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Everything works just fine, but I'm bothered by the ACLs being used in the example. I don't see how everthing should be working- OSPF is fat and happy, and if I ping one spoke from another spoke from a loopback interface, it works as well. In this case, is the network traffic being picked up by the Tunnel interface first, and all the crypto map sees is GRE traffic by the time the packets make it that far?

1 REPLY
Hall of Fame Super Silver

Why does this work?

Ian

You ask a question about the access lists and I believe that it will be easier to answer the question if we have the access lists to refer to. So here they are:

7206:access-list 130 permit gre host 14.36.88.6 host 14.38.88.40access-list 140 permit gre host 14.36.88.6 host 14.38.88.20access-list 150 permit gre host 14.36.88.6 host 14.38.88.102610:access-list 120 permit gre host 14.38.88.10 host 14.36.88.63620:access-list 110 permit gre host 14.38.88.20 host 14.36.88.6

 3640:
access-list 100 permit gre host 14.38.88.40 host 14.36.88.6


one of the first things to understand here (and you briefly mention it in your post) is that they are running OSPF dynamic routing protocol over the tunnels. So each router sees the path to get to the other router as being through the tunnel. So when the 2610 wants to get to the 7206 it will send that traffic to the tunnel interface. The tunnel interface will encapsulate the original packet in a GRE header. So yes the only thing that the access list will see is GRE traffic.

Anything that goes through the tunnel (whether it be a data packet or an OSPF routing update) is encapsulated in a GRE header and the access list does not see the original data but sees only GRE.

HTH

Rick
343
Views
0
Helpful
1
Replies
CreatePlease to create content