03-15-2012 01:54 PM - edited 03-04-2019 03:41 PM
Hello Everyone!
I am working on the client to setup the site to site VPN tunnel. It is IPSec over GRE with BGP, everything works. Please see the part of my configuration below. But my client wants to setup the access list to restirct the source and dest for the secur purpose. In the IPsec, we can do it, but not sure we can do it on the GRE tunnel. Also, is it necessary to use "tunnel mode ipsec ipve4" Please advise.
Best Regards,
Joe
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto ipsec transform-set vpn-test esp-aes esp-sha-hmac
!
!
crypto ipsec profile ipsec-vpn-file
set transform-set vpn-test
set pfs group2
!
interface Tunnel1
ip address 192.168.10.1 255.255.255.252
ip virtual-reassembly
ip tcp adjust-mss 1396
tunnel source 192.168.20.20
tunnel destination 192.168.10.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-file
!
Solved! Go to Solution.
03-16-2012 02:54 AM
Hi,
what you are doing now is the VTI configuration which is the newer way of implementing GRE over IPsec and which has a lot of advantages over the oldest way with the crypto map and crypto ACL so I would leave it this way and even if you did the oldest way then you still can't limit the traffic you are going to pass through the tunnel as you're using GRE.
So in both cases you would have to implement filtering with ACL on the tunnel interfaces to achieve your client goal.
Regards.
Alain
03-16-2012 01:33 PM
In the original post Joe asked if it was necessary to use tunnel mode ipsec ipve4. I will answer the question in this way:
- the documentation says that you should use tunnel mode ipsec ipve4 in configuring this feature.
- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and worked ok.
- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and did not work until it was added.
- I believe that it is better if you do use it, but sometimes it may work if you do not use it. (I do not like to take chances that way and so I always use it).
If you want to restrict traffic as part of some security policy then you can implement an access list on the tunnel interface. Whether that is inbound or outbound depends on what resources you are trying to protectd and what you want to protect them from. If you want to prevent certain resources inside from getting to certain destinations outside then the access list should be applied outbound. If you want to prevent certain resources outside from accessing certain destinations inside then the access list would be applied inbound.
HTH
Rick
03-16-2012 02:54 AM
Hi,
what you are doing now is the VTI configuration which is the newer way of implementing GRE over IPsec and which has a lot of advantages over the oldest way with the crypto map and crypto ACL so I would leave it this way and even if you did the oldest way then you still can't limit the traffic you are going to pass through the tunnel as you're using GRE.
So in both cases you would have to implement filtering with ACL on the tunnel interfaces to achieve your client goal.
Regards.
Alain
03-16-2012 06:22 AM
Thank you so much Alain! This is really helpful. One last thing, want to verify that I need to implement filtering with ACL on the tunnel interface...1) are they tunnel interface with GRE on the ACL? 2) Where should I apply the ACL on? 3) Which is the newest way to implement IPSec over GRE?
03-16-2012 01:14 PM
Hi,
1) I don't understand what you mean?
2) inbound or outbound on the tunnel interface
3) what you have implemented now that is: tunnel protection with the ipsec profile
Regards.
Alain
03-16-2012 01:33 PM
In the original post Joe asked if it was necessary to use tunnel mode ipsec ipve4. I will answer the question in this way:
- the documentation says that you should use tunnel mode ipsec ipve4 in configuring this feature.
- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and worked ok.
- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and did not work until it was added.
- I believe that it is better if you do use it, but sometimes it may work if you do not use it. (I do not like to take chances that way and so I always use it).
If you want to restrict traffic as part of some security policy then you can implement an access list on the tunnel interface. Whether that is inbound or outbound depends on what resources you are trying to protectd and what you want to protect them from. If you want to prevent certain resources inside from getting to certain destinations outside then the access list should be applied outbound. If you want to prevent certain resources outside from accessing certain destinations inside then the access list would be applied inbound.
HTH
Rick
03-17-2012 06:53 AM
Thank you Rick and Alain! It really helps!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: