Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
675
Views
0
Helpful
5
Replies

VPN ACL

Go to solution
Joe Lee
Level 1
Level 1

‎03-15-2012 01:54 PM - edited ‎03-04-2019 03:41 PM

Hello Everyone!

I am working on the client to setup the site to site VPN tunnel. It is IPSec over GRE with BGP, everything works. Please see the part of my configuration below. But my client wants to setup the access list to restirct the source and dest for the secur purpose. In the IPsec, we can do it, but not sure we can do it on the GRE tunnel. Also, is it necessary to use "tunnel mode ipsec ipve4" Please advise.

Best Regards,

Joe

crypto isakmp policy 20

encr aes

authentication pre-share

group 2

lifetime 28800

!

crypto ipsec transform-set vpn-test esp-aes esp-sha-hmac

!

!

crypto ipsec profile ipsec-vpn-file

set transform-set vpn-test

set pfs group2

!

interface Tunnel1

ip address 192.168.10.1 255.255.255.252

ip virtual-reassembly

ip tcp adjust-mss 1396

tunnel source 192.168.20.20

tunnel destination 192.168.10.10

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsec-vpn-file

!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎03-16-2012 02:54 AM

Hi,

what you are doing now is the VTI configuration which is the newer way of implementing GRE over IPsec and which has a lot of advantages over the oldest way with the crypto map and crypto ACL so I would leave it this way and even if you did the oldest way then you still can't limit the traffic you are going to pass through the tunnel as you're using GRE.

So in both cases you would have to implement filtering with ACL on the tunnel interfaces to achieve your client goal.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to cadet alain

‎03-16-2012 01:33 PM

In the original post Joe asked if it was necessary to use tunnel mode ipsec ipve4. I will answer the question in this way:

- the documentation says that you should use tunnel mode ipsec ipve4 in configuring this feature.

- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and worked ok.

- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and did not work until it was added.

- I believe that it is better if you do use it, but sometimes it may work if you do not use it. (I do not like to take chances that way and so I always use it).

If you want to restrict traffic as part of some security policy then you can implement an access list on the tunnel interface. Whether that is inbound or outbound depends on what resources you are trying to protectd and what you want to protect them from. If you want to prevent certain resources inside from getting to certain destinations outside then the access list should be applied outbound. If you want to prevent certain resources outside from accessing certain destinations inside then the access list would be applied inbound.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎03-16-2012 02:54 AM

Hi,

what you are doing now is the VTI configuration which is the newer way of implementing GRE over IPsec and which has a lot of advantages over the oldest way with the crypto map and crypto ACL so I would leave it this way and even if you did the oldest way then you still can't limit the traffic you are going to pass through the tunnel as you're using GRE.

So in both cases you would have to implement filtering with ACL on the tunnel interfaces to achieve your client goal.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Joe Lee
Level 1
Level 1
In response to cadet alain

‎03-16-2012 06:22 AM

Thank you so much Alain! This is really helpful. One last thing, want to verify that I need to implement filtering with ACL on the tunnel interface...1)  are they tunnel interface with GRE on the ACL? 2) Where should I apply the ACL on? 3) Which is the newest way to implement IPSec over GRE?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Joe Lee

‎03-16-2012 01:14 PM

Hi,

1) I don't understand what you mean?

2) inbound or outbound on the tunnel interface

3) what you have implemented now that is: tunnel protection with the ipsec profile

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to cadet alain

‎03-16-2012 01:33 PM

In the original post Joe asked if it was necessary to use tunnel mode ipsec ipve4. I will answer the question in this way:

- the documentation says that you should use tunnel mode ipsec ipve4 in configuring this feature.

- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and worked ok.

- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and did not work until it was added.

- I believe that it is better if you do use it, but sometimes it may work if you do not use it. (I do not like to take chances that way and so I always use it).

If you want to restrict traffic as part of some security policy then you can implement an access list on the tunnel interface. Whether that is inbound or outbound depends on what resources you are trying to protectd and what you want to protect them from. If you want to prevent certain resources inside from getting to certain destinations outside then the access list should be applied outbound. If you want to prevent certain resources outside from accessing certain destinations inside then the access list would be applied inbound.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Joe Lee
Level 1
Level 1
In response to Richard Burts

‎03-17-2012 06:53 AM

Thank you Rick and Alain! It really helps!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card