07-16-2010 12:31 PM - edited 03-04-2019 09:05 AM
Hi
I use this template for IPSEC GRE VPN.
Looking for recommendation to secure the router to avoid other traffic then GRE VPN. All other traffic should be blocked.
======================================================================================
=====================================================================================
crypto isakmp key mtt3rvLBO3jCoV50zoE address 192.168.1.2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
hash sha
!
crypto ipsec transform-set TS esp-des esp-sha-hmac
!
crypto map Knight 10 ipsec-isakmp
set transform-set TS
set peer 192.168.1.2
match address 101
!
crypto ipsec profile IPsecP
set transform-set TS
!
interface Serial0
ip address 192.168.1.1 255.255.255.252
!
access-list 101 permit gre host 192.168.1.1 host 192.168.2.1
!
interface Tunnel0
ip address 10.1.1.1 255.255.255.252
ip mtu 1300
tunnel source Serial0
tunnel destination 192.168.2.1
tunnel protection ipsec profile IP
!
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 10.0.0.0 255.0.0.0 Tunnel0
Solved! Go to Solution.
07-17-2010 10:59 AM
ST
Yes you need 2 lines in the access list per remote peer. You need to permit UDP 500 which is ISAKMP and does the negotiation of encryption keys for the IPSec session. And you need to permit ESP which is what carries the encrypted traffic.
As I read my response I see that I have a logical error in the example that I gave. I reversed the source and destination addresses. I said:
access-list 110 permit udp host 192.168.1.1 host 192.168.2.1 eq 500
access-list 110 permit esp host 192.168.1.1 host 192.168.2.1
and it should be:
access-list 110 permit udp host 192.168.2.1 host 192.168.1.1 eq 500
access-list 110 permit esp host 192.168.2.1 host 192.168.1.1
HTH
Rick
07-17-2010 05:48 AM
There are a few inconsistencies in your config that puzzle me.
The crypto key and the crypto map say that your peer is 192.168.1.2, which would be the device connected by your serial interface. But the tunnel destination and access list 101 specify 192.168.2.1. Is that a typo or is that intended?
If you are using the Tunnel Protection Profile then why is there a crypto map in your template?
If you really mean that you want only the GRE VPN traffic to be allowed then I would suggest that you add this to your config:
access-list 110 permit udp host 192.168.1.1 host 192.168.2.1 eq 500
access-list 110 permit esp host 192.168.1.1 host 192.168.2.1
access-list 110 deny ip any any
interface serial0
ip access-group 110 in
This will deny anything that is not GRE VPN.
Are you sure that there is not any management traffic or anything else that you might want to go through the serial interface?
HTH
Rick
07-17-2010 06:02 AM
Hi Rick,
Those where typo mistakes.
I would have around 25 IPSEC GRE Tunnels and one management VLAN on the Router.
Routing protocol running on IPSEC GRE tunnels would be OSPF and couple with EIGRP
So I understand from your reply that I need to have two line ACL for each peer.
thanks again.
ST
07-17-2010 10:59 AM
ST
Yes you need 2 lines in the access list per remote peer. You need to permit UDP 500 which is ISAKMP and does the negotiation of encryption keys for the IPSec session. And you need to permit ESP which is what carries the encrypted traffic.
As I read my response I see that I have a logical error in the example that I gave. I reversed the source and destination addresses. I said:
access-list 110 permit udp host 192.168.1.1 host 192.168.2.1 eq 500
access-list 110 permit esp host 192.168.1.1 host 192.168.2.1
and it should be:
access-list 110 permit udp host 192.168.2.1 host 192.168.1.1 eq 500
access-list 110 permit esp host 192.168.2.1 host 192.168.1.1
HTH
Rick
07-17-2010 02:28 PM
Thank u so much Rick.
You ROCK man !!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide