IPSEC tunnel and Routing protocols Support

Similar Messages

• Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                     Dear Experts,
  Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

  Hi,
  Check out this document for the information
  http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
  Its lists the following for software level 9.0(1)
  Multiple   Context Mode Features
  Dynamic routing in Security   Contexts
  EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
  Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
  I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
  Hope this helps
  - Jouni

• IPSec Tunnel and Making Changes While Up

  My main MPLS circuit is down and i have two IPSec tunnels up to my remote sites.
  Everything is routing fine but i wanted to add a sub net to my NAT and Tunnels.
  Can i add a new subnet to my local network/remote network and save/apply without killing or reseting my active IPSec tunnels?                  

  Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.
  But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.
  HTH
  Rick

• IPSec tunnel and policy NAT question

  Hello All!
  I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
  1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
  2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
  I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
  Here is the configuration
  Remote end  crypto interesting ACL:
  ip access-list extended crypto-interesting-remote
  permit ip host 192.168.1.10 host 10.0.0.10
  My end configuration:
  interface GigabitEthernet0/0
  ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN
  ip access-list extended crypto-interesting-local
  permit ip host 10.0.0.10 host 192.168.1.10
  interface GigabitEthernet0/3
  ip address 172.16.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  speed auto
  ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
  ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
  All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
  Any response highly appreciated!
  Thanks!

  Figured that out.
  The problem was in route
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  should be next-hop IP address instead of interface gigabitethernet0/0
  Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

• Dot1Q tunneling and routing

  I am in the process of designing a dot1q-tunnel-based service backbone. Basically client switches will uplink with tunnelled ports on the provider backbone.
  Cl-SW1 |----|P-SW1|----|P-SW2|-----|Cl-SW2|
  Assume that the CL-SW1 is at the headquarters of the client and some traffic from the client should be sent off-premisess (Internet for example) using the same link (Gig Ethernet).
  What are my options?
  P-SW1 and P-SW2 will not be able to see layer 3 information from the client switches since traffic is layer2-tunnelled. How can I route traffic off the backbone?
  I thought about trunking a single port on P-SW1 and connecting it to a router. On the router sub-interfaces will do the job. But the problem is that trunked traffic will reach the router encapsulated with dot1q tunneling? Does a 7600 series router do the job, since it understands tunneling?
  Any ideas will be appreciated.

  It depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
  http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
  http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html

• Oracle on Wintel and Netapp (protocol support)

  Hello,
  Wondering is iSCSI or CIFS is supported for Oracle on Netapp using Windows 2003 server?
  Iv heard its CIFS but cant be sure. Would also like to use the SnapValidator function. Can I use it with CIFS on Windows?
  Many Thanks
  C

  Why? And on what NetApp model?
  NetApp has one of the best clustered file systems available as their default. Replacing it with something else is destroying, not enhancing, functionality.

• VLAN's over Internet/IPSec Tunnel

  Hi All !
  I have a problem.
  I have trunked 5 VLANS from various sites over sattelite and have them all ending on a hub router ,
  but my difficulty now is in getting them sent to the HQ over the internet.
  I have thought about only 2 ways of possibly being able to do this
  1. Get a leased Line :-)
  2. and the only feasable alternative ! is to get the VLANs sent per IPSec over the internet but this is my problem....
  How do I get a packet from a VLAN into an IPSec tunnel and vice versa ?
  What equipment would I need ? (more switches/routers)
  Do I need 1 IPSec tunnel for each VLAN to keep them separate from each other ?
  Can someone please help.

  You have posted this same question on the WAN Routing and Switching forum where it has gotten some responses. I suggest that we consolidate the discussion of this question on that forum.
  HTH
  Rick

• IPSEC Tunnel vs IKE Tunnel?

  I am running ASDM 5.1 and PIX 7.1(1)
  When I look in the gui it always reports a different number for IPSEC Tunnels and IKE Tunnels, I didn't know that there was a difference? For example right now it is reporting, 45 IKE Tunnels and 53 IPSEC Tunnels. What does this mean?
  Thanks :)

  They are not the same. 45 IKE Tunnels represents how tunnels are established with peers. 53 ipsec Tunnels represents how many sessions are being encrpted amongst those peers.
  HTH

• When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a

  i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

  Hi josedilone19
  GRE is used when you need to pass Broadcast or multicast traffic.  That's the main function of GRE.
  Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks
  However there are some other important aspect to consider: 
  In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks
  GRE tunnels encase multiple protocols over a single-protocol backbone.
  GRE tunnels provide workarounds for networks with limited hops.
  GRE tunnels connect discontinuous sub-networks.
  GRE tunnels allow VPNs across wide area networks (WANs).
  -Hope this helps -

• When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

  i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

  Jose,
  It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
  Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
  HTH,
  Frank

• 1921 Router Q: How many IPsec tunnels will it support?

  Sorry if this isn't the spot for hardware questions... I need to know how many IPsec VPN tunnels one Cisco1921 can support reliably. Haven't had any luck sifting through documentation on the web.
  Thanks in advance for any help!

  The SEC-K9 permanent licenses apply to the Cisco 1900, 2900, and 3900 ISR G2 platforms; these licenses limit
  all encrypted tunnel counts to 225 tunnels maximum for IP Security (IPsec), Secure Sockets Layer VPN (SSL
  VPN), a secure time-division multiplexing (TDM) gateway, and secure Cisco Unified Border Element (CUBE) and
  1000 tunnels for Transport Layer Security (TLS) sessions.
  The SEC-K9 license limits encrypted throughput to less than or equal to 85-Mbps unidirectional traffic in or out of
  the ISR G2 router, with a bidirectional total of 170 Mbps. This requirement applies for the Cisco 1900, 2900, and
  3900 ISR G2 platforms. The SEC-K9 permanent licenses apply to the Cisco 1900, 2900, and 3900 ISR G2 platforms; these licenses limit
  Thanks
  Ajay

• IPSEC tunnel between adsl router (1841-K9) and Windows ISA

  Hi. Can anybody point me in the direction of how to achieve this?
  Basically weve got a UC500 running CME. We want to send a home worker home with a router and a phone, and allow their router (probably an 1841 with a WIC 1ADSL and K9 pack) to connect to our SBS server with ISA on it and make an IPSEC tunnel.
  Thanks!!!

  This is now showing up with running ssh over this tunnel. I can get the initial connection, but certain commands are not going through.

• Good CCIE question: Can multiple site-2-site VPNs support dynamic routing protocols?

  Hi All,
  Was not sure if this should be posted in LAN routing, WAN routing or VPN forums: I have posted here as the VPN tunnels are the limiting factors...
  I am trying to understand if it is possible to have dynamic routing between LANs when using site to site VPNs on three or more ASA55x5-x (9.0).
  To best explain the question I have put together an example scenario:
  Lets say we have three sites, which are all connected via a separate site-2-site IKEv2 VPNs, in a full mesh topology (6 x SAs).
  Across the whole system there would be a 192.168.0.0/16 subnet which is divided up by VLSM across all sites.
  The inside / outside interfaces of the ASA would be static IPs from a /30 subnet.
  Routing on the outside interface is not of concern in this scenario.
  The inside interface of the ASA connects directly to a router, which further uses VLSM to assign additional subnets.
  VLSM is not cleanly summarised per site. (I know this flys against VLSM best practice, but makes the scenario clearer...)
  New subnets are added and removed at each site on a frequent basis.
  EIGRP will be running on each core router, and any stub routers at each site.
  So this results in the following example topology, of which I have exaggerated the VLSM position:
  (http://www.diagram.ly/?share=#OtprIYuOeKRb3HBV6Qy8CL8ZUE6Bkc2FPg2gKHnzVliaJBhuIG)
  Now, using static route redistribution from the ASAs into EIGRP and making the ASAs to be an EIGRP neighbour, would be one way. This would mean an isolated EIGRP AS per site, but each site would only learn about a new remote subnet if the crypto map match ACL was altered. But the bit that I am confused over, is the potential to have new subnets added or removed which would require EIGRP routing processes on the relevant site X router to be altered as well as crypto map ACLs being altered at all sites. This doesn't seem a sensible approach...
  The second method could be to have the 192.168.0.0/16 network defined in the crypto map on all tunnels and allow the ASAs routing table to chose which tunnel to send the traffic over. This would require multiple neighbours for the ASA, but for example in OSPF, it can only support one neighbour over a S2S VPN when manually defined (point-to-point). The only way round this I can see is to share our internal routing tables with the IP cloud, but this then discloses information that would be otherwise protected by the IPSEC tunnel...
  Is there a better method to propagate the routing information dynamically around the example scenario above?
  Is there a way to have dynamic crypto maps based on router information?
  P.S. Diagram above produced via http://www.diagram.ly/

  Hi Guys,
  Thanks for your responses!  I am learning here, hence the post.
  David: I had looked in to the potential for GRE tunnels, but the side-effects could out weight the benifits.  The link provided shows how to pass IKEv1 and ISAKMP traffic through the ASA.  In my example (maybe not too clear?) the IPSEC traffic would be terminated on the ASA and not the core router behind.
  Marcin: Was looking at OSPF, but is that not limited to one neighbour, due to the "ospf network point-to-point non-broadcast" command in the example (needed to force the unicast over the IPSEC tunnel)? Have had a look in the ASA CLI 9.0 config guide and it is still limited to one neighbour per interface when in point-to-point:
  ospf network point-to-point non-broadcastSpecifies the interface as a point-to-point, non-broadcast network.When you designate an interface as point-to-point and non-broadcast, you must manually define the OSPF neighbor; dynamic neighbor discovery is not possible. See the "Defining Static OSPFv2 Neighbors" section for more information. Additionally, you can only define one OSPF neighbor on that interface.
  Otherwise I would agree it would be happy days...
  Any other ideas (maybe around iBGPs like OSPF) which do not envolve GRE tunnels or terminating the IPSEC on the core router please?
  Kindest Regards,
  James.

• Routing protocols over IPSEC

  why can't you run a routing protocol in IPSEC tunnel mode? why do you need GRE to run a routing protocol?

  Most of the dynamic routing protocols use multicast addressing or broadcast addressing for the destination address. IPSec processes unicast IP traffic. This is the reason that we have traditionally used GRE which can easily pass multicast and broadcast traffic within the tunnel as the way to run routing protocols over IPSec tunnels. With GRE the multicast routing protocol traffic is encapsulated in a GRE packet which has a unicast source and destination address.
  HTH
  Rick

• IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination

  >>both routers are located in different countries and connected with ISP
  >>IPsec over GRE tunnel is configured on both the routers 
  >>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
  >>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
  >>ISP is not finding any issue with their end 
  >>Please guide me how i can fix this issue and what need to be check on this ????
  ========================
  Router_1#sh run int Tunnel20
  Building configuration...
  Current configuration : 272 bytes
  interface Tunnel20
   bandwidth 2048
   ip address 3.85.129.141 255.255.255.252
   ip mtu 1412
   ip flow ingress
   delay 1
   cdp enable
   tunnel source GigabitEthernet0/0/3
   tunnel destination 109.224.62.26
  end
  ===================
  Router_1#sh int Tunnel20
  Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
    Hardware is Tunnel
    Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
    Internet address is 3.85.129.141/30
    MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
     Tunnel Subblocks:
        src-track:
           Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
            Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
    Tunnel protocol/transport GRE/IP
      Key disabled, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1476 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input 1w6d, output 14w4d, output hang never
    Last clearing of "show interface" counters 2y5w
    Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       1565172427 packets input, 363833090294 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       1778491917 packets output, 1555959948508 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  =============================
  Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
  Type escape sequence to abort.
  Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
  Packet sent with a source address of 195.27.20.14
  Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
  Router_1#
  ============================================
  Router_1#sh cry ip sa pe 109.224.62.26 | in caps
      #pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
      #pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
  Router_1#sh clock
  15:09:45.421 UTC Thu Dec 25 2014
  Router_1#
  ===================
  Router_1#sh cry ip sa pe 109.224.62.26 | in caps
      #pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
      #pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2 
  Router_1#sh clock
  15:11:36.476 UTC Thu Dec 25 2014
  Router_1#
  ===================
  Router_2#sh run int Tu1
  Building configuration...
  Current configuration : 269 bytes
  interface Tunnel1
   bandwidth 2000
   ip address 3.85.129.142 255.255.255.252
   ip mtu 1412
   ip flow ingress
   load-interval 30
   keepalive 10 3
   cdp enable
   tunnel source GigabitEthernet0/0
   tunnel destination 195.27.20.14
  end
  Router_2#
  =======================
  Router_2#sh run | sec cry
  crypto isakmp policy 10
   authentication pre-share
  crypto isakmp key Router_2 address 195.27.20.14
  crypto isakmp key Router_2 address 194.9.241.8
  crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
   mode transport
  crypto map <Deleted> 10 ipsec-isakmp
   set peer 195.27.20.14
   set transform-set ge3vpn
   match address Router_2
  crypto map <Deleted> 20 ipsec-isakmp
   set peer 194.9.241.8
   set transform-set ge3vpn
   match address Router_1
   crypto map <Deleted>
  Router_2#
  ====================================
  Router_2#sh cry ip sa pe 195.27.20.14 | in caps
      #pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
      #pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2 
  Router_2#sh clock
  .15:10:33.296 UTC Thu Dec 25 2014
  Router_2#
  ========================
  Router_2#sh int Tu1
  Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
    Hardware is Tunnel
    Internet address is 3.85.129.142/30
    MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive set (10 sec), retries 3
    Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
     Tunnel Subblocks:
        src-track:
           Tunnel1 source tracking subblock associated with GigabitEthernet0/0
            Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
    Tunnel protocol/transport GRE/IP
      Key disabled, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1476 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input 1w6d, output 00:00:02, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    30 second input rate 0 bits/sec, 0 packets/sec
    30 second output rate 0 bits/sec, 0 packets/sec
       1881547260 packets input, 956465296 bytes, 0 no buffer
       Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       1705198723 packets output, 2654132592 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  =============================
  Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
  Type escape sequence to abort.
  Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
  Packet sent with a source address of 109.224.62.26
  Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
  Router_2#
  =========================

  Hello.
  First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
  Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
  Please provide full output "show crypto ipsec sa"
   from both sides.