Well, if that traffic is routed over the tunnel interface, then the traffic
will automatically be encrypted as the tunnel is encrypted.
Your physical topology is:
10.3.1.* 192.168.4.3 192.168.1.13 10.2.1.*
---------R3-------------R5-------------R13--------
But your logical topology with the tunnel is most likely something like
10.3.1.* 10.1.1.1 10.1.1.2 10.2.1.*
---------R3----------GRE Tunnel----------R13--------
Here 10.1.1.x is used for the GRE tunnel. If you have a static route on R3
(this could also be learned via a dynamic protocol running across the
tunnel):
ip route 10.2.1.0 255.255.255.0 10.1.1.2
Then, traffic is routed across the tunnel and encrypted.
If however you have the following route:
ip route 10.2.1.0 255.255.255.0 192.168.4.5 (R5)
Then traffic is not routed across the tunnel and is not encrypted.
Regards,
Justin
-----Original Message-----
From: Peng Zheng [mailto:pzheng830@xxxxxxxxx]
Sent: Saturday, November 30, 2002 5:59 AM
To: Justin Menga; security@xxxxxxxxxxxxxx
Subject: RE: NLI's Security CCIE Boot Camp
In beginning, they asked to configure a tunnel and
encrypt the tunnel.
But they also said: ping from a switch in 10.2.1.* to
R3's LAN interface, 10.3.1.3, make sure the packet is encrypted.
So I think the traffic is required to protect is from
10.2.1.* to 10.3.1.*.
--- Justin Menga <Justin.Menga@xxxxxxxxxxxxxx> wrote:
> Hi
>
> It depends on what is being encrypted. The answer
> to me indicates only IP
> traffic sourced from R3 to R13 and vice versa is to
> be encrypted. The most
> likely use of this would be for some type of
> router-to-router communication,
> such as a GRE tunnel or a BGP session. In this mode
> of operation, a
> transform set operating in transport mode is
> normally configured, as nothing
> is actually tunneled. If however traffic behind R3
> to traffic behind R13
> needs to be encrypted (your ACLs reference 10.4.1.0,
> where is this?), then
> your ACLs are correct.
>
> If the question just says: "IPsec need to be
> configure between R3 and R13."
> then if there was some router-to-router
> communications configured, such as
> BGP or GRE, then I'd assume it just means to protect
> that. Given in your
> previous email that you indicate a tunnel exists
> between R3 and R13, I'm
> guessing GRE tunnel exists between the two. A
> better solution would be:
>
> access-list 101 permit gre host 192.168.4.3 host
> 192.168.1.13
>
> Regards,
> Justin
>
> -----Original Message-----
> From: Peng Zheng [mailto:pzheng830@xxxxxxxxx]
> Sent: Friday, November 29, 2002 8:38 PM
> To: security@xxxxxxxxxxxxxx
> Subject: NLI's Security CCIE Boot Camp
>
>
> Hi,
>
> In solution for LAB 1 NLI's Security CCIE Boot Camp
> Lab Subscription, for Router to Router VPN.
>
> 10.3.1.* 192.168.4.3 192.168.1.13 10.2.1.*
> ---------R3-------------R5-------------R13--------
>
> IPsec need to be configure between R3 and R13. For
> encrypted traffic, the access-list on R3 and R13 is:
>
> access-list 101 permit ip host 192.168.4.3 host
> 192.168.1.13
>
> and
>
> access-list 101 permit ip host 192.168.1.13 host
> 192.168.4.3
>
>
> I think it should be:
>
> access-list 101 permit ip 10.4.1.0 0.0.0.255
> 10.2.1.0
> 0.0.0.255
>
> and
>
> access-list 101 permit ip 10.2.1.0 0.0.0.255
> 10.4.1.0
> 0.0.0.255
>
> Which one is correct?
>
> Thanks for help.
>
> Best Wishes,
> Peng Zheng
>
>
>
>
>
>
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> http://mailplus.yahoo.com
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
