2402

Course
2402
2402Number
1187_05_2000_c2
2000,
Cisco
Systems,
Inc. Inc.
1187_05_2000_c2 1999,
2000,
Cisco
Systems,
1 1
Advanced IPSec
Deployment Scenarios
Session 2402
2402
1187_05_2000_c2
2000, Cisco Systems, Inc.
Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.
IPSec-DS.050300
Advanced IPSec
Overview of IPSec
HSRP Overview
Using IPSec with Hot Standby
Routing Protocol (HSRP)
NAT Overview
Using IPSec with Network/Port
Address Translation (NAT/PAT)
2402
1187_05_2000_c2
IPSec Overview
Initiating the IPSec session
Phase oneexchanging keys
Phase twosetting up security
associations
Encrypting/decrypting packets
Rebuilding security associations
Timing out security associations
2402
1187_05_2000_c2
Simple IPSec configuration

IPSec-DS.050300
Initiating the IPSec Session

Phase OneISAKMP
Internet Security Association Key Management
Protocol (ISAKMP)
Both sides need to agree on the ISAKMP
security parameters (ISAKMP SADB)
ISAKMP parameters
Encryption algorithm
Hash algorithm
Authentication method
Diffie-Hellman modulus
Group lifetime
2402
1187_05_2000_c2
Initiating the IPSec Session

Phase TwoIPSec
Both sides need to agree on the IPSec security
parameters (IPSec SADB)
IPSec parameters
IPSec peer
Endpoint of IPSec tunnel
IPSec proxy
Traffic to be encrypted/decrypted
IPSec transform
Encryption and hashing
IPSec lifetime
Phase two SA regeneration time
2402
1187_05_2000_c2
IPSec-DS.050300
Encrypting and
Decrypting Packets
Phase one and phase two completes
Security Associations (SA) are
created at both IPSec endpoints
Using the negotiated SADB
information
Outbound packets are encrypted
Inbound packets are decrypted
2402
1187_05_2000_c2
Rebuilding
Security Associations
To ensure that keys are not compromised
they are periodically refreshed
Security associations will be rebuilt when:
The lifetime expires, or
Data volume has been exceeded, or
Another SA is attempted with identical
parameters
2402
1187_05_2000_c2
IPSec-DS.050300
Simple IPSec Configuration

10.1.1.0/24
10.1.2.0/24
200.1.1.2
192.1.1.1
Internet
IPSec Tunnel
crypto isakmp policy 1

authentication pre-share
hash md5
crypto isakmp key cisco123 address 200.1.1.2
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp
set peer 200.1.1.2
set transform-set trans1
match address 101
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
interface Ethernet1
ip address 192.1.1.1 255.255.255.0
crypto map vpnmap
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
2402
1187_05_2000_c2

hash md5
set peer 192.1.1.1
match address 101
interface Ethernet0
ip address 10.1.2.1 255.255.255.0
interface Ethernet1
ip address 200.1.1.2 255.255.255.0
crypto map vpnmap
IPSec with HSRP
2402
1187_05_2000_c2
IPSec-DS.050300
10
HSRP Overview
Two routers setup to use single
virtual IP address
Provides redundancy for the default
gateway used by hosts
Routers do not use the HSRP
virtual IP address for
routing/forwarding packets
Return packets can take any path back
2402
1187_05_2000_c2
11
HSRP Example Configuration

hostname Rh1
!
interface Ethernet0
ip address 10.1.1.2 255.255.255.0
standby priority 100
standby preempt
standby ip 10.1.1.1
Hostname Rh2
!
interface Ethernet0
ip address 10.1.1.3 255.255.255.0
standby priority 95
standby preempt
standby ip 10.1.1.1
2402
1187_05_2000_c2
IPSec-DS.050300
12
HSRP Example in Action

ARP:
10.1.1.2
0000.0c12.0002
10.1.1.1
0000.0c07.ac01
HSRP: Priority = 100
Standby
Active
- 10.1.1.1
.2
Rh1
Rh2
ARP:
10.1.1.3
0000.0c12.0003
10.1.1.1
0000.0c07.ac01
HSRP: Priority = 95
Active - 10.1.1.1
Standby
.3
10.1.1.0/24
Route:
R 0.0.0.0/0
10.1.1.2
10.1.1.3
R 10.1.2.0/24
10.1.1.3
ARP:
10.1.1.4
0000.0c12.0004
10.1.1.2
0000.0c12.0002
10.1.1.3
0000.0c12.0003
2402
1187_05_2000_c2
.10
.4
R4
H1
Route:
0.0.0.0/0
ARP:
10.1.1.1
10.1.1.1
0000.0c07.ac01
13
IPSec with HSRP

Simple dual peer IPSec configuration
Backup peer IPSec configuration
Separate interconnect link between
HSRP peers
GRE tunnel overview
Use GRE tunnels between IPSec
peers and run a routing protocol
2402
1187_05_2000_c2
IPSec-DS.050300
14
IPSec with HSRP

Network Layout
.21
H2
HSRP Virtual
172.17.63.94
Rh1
172.17.63.98
Internet
.1
172.18.24.199
R3
.66
(.94)
192.168.24.0/24
172.17.63.101
.67
.65 Rh2
.69
H1
2402
1187_05_2000_c2
172.17.63.64/27
15
Scenario 1:
Simple Dual Peer
Before HSRP failover
Remote peer (R3) initiates IPSec connection with first
configured HSRP router (Rh1)
IPSec connection is validated
Packets are encrypted between hosts
After HSRP failover

Now active HSRP router (Rh2) attempts IPSec
connection with R3
IPSec connection request is invalid at R3
R3 still sends encrypted packets to Rh1
Packets fail in both directions
2402
1187_05_2000_c2
IPSec-DS.050300
16
Scenario 1: Configuration
Simple Dual Peer
Remote Peer R3
Two crypto map
entries using the
same access-list
but different peers.
2402
1187_05_2000_c2

!
!
set peer 172.17.63.98
match address 100
set peer 172.17.63.101
match address 100
!
interface Ethernet0
ip address 192.168.24.1 255.255.255.0
!
interface Ethernet1
ip address 172.18.24.199 255.255.255.0
crypto map vpnmap
!
17
Simple Dual Peer
HSRP Router Rh1
Single crypto map
entry using a single
peer and access-list.
2402
1187_05_2000_c2

!
!
set peer 172.18.24.199
match address 100
!
interface Ethernet3
ip address 172.17.63.66 255.255.255.224
standby preempt
standby ip 172.17.63.94
!
interface Serial0
ip address 172.17.63.98 255.255.255.252
crypto map vpnmap
!
IPSec-DS.050300
18
Simple Dual Peer
HSRP Router Rh2
Single crypto map
entry using a single
peer and access-list.
2402
1187_05_2000_c2

!
!
set peer 172.18.24.199
match address 100
!
interface Ethernet3
ip address 172.17.63.65 255.255.255.224
standby preempt
standby ip 172.17.63.94
!
interface Serial0
ip address 172.17.63.101 255.255.255.252
crypto map vpnmap
!
19
Scenario 1:
Before HSRP Failover
HSRP Virtual
172.17.63.94
.67
(.94)
.66
Rh1
.98
Internet
.1
.21
.101
.65
172.17.63.64/27
R3
.199
.69
192.168.24.0/24
Rh2
HSRP Router Rh1
Remote Peer R3
IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest=172.17.63.98, src=172.18.24.199,
dest_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),
src_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),
IPSEC(sa_request):,
(key eng. msg.) src=172.18.24.199, dest=172.17.63.98,
src_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),
dest_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),
IPSEC(create_sa): sa created,
(sa) sa_dest=172.17.63.98, sa_prot=50, sa_conn_id=12
(sa) sa_dest=172.18.24.199, sa_prot=50,sa_conn_id=13
# show crypto engine connection active

ID Interface IP-Address St Algorithm
Enc Dec
12 Serial0
172.17.63.98 set MD5+DES_56 0
4
13 Serial0
172.17.63.98 set MD5+DES_56 4
0

Enc Dec
55 Ethernet1 172.18.24.199 set MD5+DES_56 0
4
0
2402
1187_05_2000_c2
IPSec-DS.050300
20
10
Scenario 1:
HSRP Failover
HSRP Virtual
172.17.63.94
(.94)
.66
.67
Rh1
.98
Internet
172.17.63.64/27
R3
.199
.69
.65
(.94)
.1
.21
.101
192.168.24.0/24
Rh2
HSRP Router Rh1
Ethernet3 - Group 0
Local state is Active, priority 105, may preempt
Hot standby IP address is 172.17.63.94 configured
Active router is local
Standby router is 172.17.63.65 expires in 00:00:08
%STANDBY-6-STATECHANGE: Standby: 0: Ethernet3 state Active
Init
HSRP Router Rh2
Ethernet3 - Group 0
Local state is Standby, priority 100, may preempt
Hot standby IP address is 172.17.63.94 configured
Active router is 172.17.63.66 expires in 00:00:09
Standby router is local
%STANDBY-6-STATECHANGE: Standby: 0: Ethernet3 state Standby
Active
2402
1187_05_2000_c2
21
Scenario 1:
After HSRP Failover
HSRP Virtual
172.17.63.94
.67
Rh1
.66
.98
Internet
(.94)
.1
.21
.101
.65
172.17.63.64/27
R3
.199
.69
192.168.24.0/24
Rh2
HSRP Router Rh2
Remote Peer R3
IPSEC(sa_request):,
src_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),
dest_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),

dest_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),
src_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),
ISAKMP (290): processing NOTIFY payload 14 proto 3

spi 385156749, message ID = 1990588714
ISAKMP (290): deleting spi 385156749
message ID = 524405208
...
IPSEC(key_engine): request timer fired: count = 2,
(identity) local=172.17.63.101, remote=172.18.24.199,
loc_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),
rem_proxy=192.168.24.0/255.255.255.0/0/0 (type=4)
IPSEC(validate_transform_proposal):
peer address 172.17.63.101 not found
2402
1187_05_2000_c2
ISAKMP: IPSec policy invalidated proposal

ISAKMP (57): sending packet to 172.17.63.101 (R)
QM_IDLE
Enc Dec
55 Serial0
172.17.63.98 set MD5+DES_56
0 4
56 Serial0
172.17.63.98 set MD5+DES_56 14 0
IPSec-DS.050300
22
11
Scenario 1: Analysis
Simple Dual Peer
Problemonly one IPSec connection can be
created by remote peer (R3)
Match address statements are the same in both
crypto map entries
IPSec will always match the first map entry found
Second HSRP router is not in the first entry
SolutionScenario 2: backup peer

Instead of two crypto map entries one for each
HSRP router
Use two peer statements in the same crypto map entry
2402
1187_05_2000_c2
23
Scenario 2:
Backup Peer
Both HSRP routers can initiate separate IPSec tunnels
with the remote peer (R3)
Packets are encrypted over either IPSec tunnel
R3 sends back over last used IPSec tunnel
After HSRP failover

Both IPSec tunnels are still available
R3 may still send encrypted packets to Rh1
connectivity breaks
A single packet from Rh2 will restore connectivity
2402
1187_05_2000_c2
IPSec-DS.050300
24
12
Backup Peer
Remote Peer R3Old
set peer 172.17.63.98
match address 100
set peer 172.17.63.101
match address 100
2 Crypto Map Entries

1 Peer per Entry
Remote Peer R3New

set peer 172.17.63.98
set peer 172.17.63.101
match address 100
1 Crypto Map Entry

2 Peers
2402
1187_05_2000_c2
25
Scenario 2:
HSRP Virtual
172.17.63.94
.67
H1
(.94)
.66
Rh1
.98
Internet
.1
.21
.101
.65
172.17.63.64/27
R3
.199
.69
H2
192.168.24.0/24
Rh2
HSRP Router Rh1
Remote Peer R3

dest_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),
src_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),
IPSEC(sa_request):,
src_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),
dest_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),

Enc Dec
18 Serial0
172.17.63.98 set MD5+DES_56 0
3
19 Serial0
172.17.63.98 set MD5+DES_56 3
0

Enc Dec
3
0
2402
1187_05_2000_c2
IPSec-DS.050300
26
13
Scenario 2:
HSRP Virtual
172.17.63.94
(.94)
.66
.67
Rh1
.98
Internet
H1
R3
.199
.69
.65
172.17.63.64/27
.1
.21
.101
H2
192.168.24.0/24
Rh2
HSRP Router Rh2
Remote Peer R3
IPSEC(sa_request): ,
src_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),
dest_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),

dest_proxy=192.168.24.0/255.255.255.0/0/0 (type=4),
src_proxy=172.17.63.64/255.255.255.224/0/0 (type=4),

Enc Dec
93 Serial0
172.17.63.101 set MD5+DES_56 0
4
94 Serial0
172.17.63.101 set MD5+DES_56 4
0

Enc Dec
3
0
4
0
2402
1187_05_2000_c2
27
Scenario 2: Ping Test #1

HSRP Virtual
172.17.63.94
(.94)
.66
.67
Rh1
.98
Internet
H1
R3
.199
.69
172.17.63.64/27
.1
.21
.101
.65
H2
192.168.24.0/24
Rh2
Rh1 Active10 Pings from H2 to H1
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
00
13
3
4
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
12
3
0
HMAC_MD5+DES_56_CB
0
4
HMAC_MD5+DES_56_CB
4
5
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
0
3
172.17.63.98 set HMAC_MD5+DES_56_CB
12
172.17.63.98 set
set HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
13
34
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
4
5
172.17.63.101 set HMAC_MD5+DES_56_CB
4
0
IPSec-DS.050300
28
14

After HSRP Failover
HSRP Virtual
172.17.63.94
Rh1
.67
H1
.66
.98
Internet
R3
.199
.69
172.17.63.64/27
.65
(.94)
.1
.21
.101
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
13
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB 12
22
0
HMAC_MD5+DES_56_CB
0
4
HMAC_MD5+DES_56_CB
5
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
0
12
22
13
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
5
172.17.63.101 set HMAC_MD5+DES_56_CB
4
0
29

After HSRP Failover
HSRP Virtual
172.17.63.94
Rh1
.67
H1
.66
.98
Internet
R3
.199
.69
172.17.63.64/27
(.94)
.1
.101
.65
.21
H2
192.168.24.0/24
Rh2
Rh2 Active1 Ping from H1 to H2

10 Pings from H2 to H1
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
13
HMAC_MD5+DES_56_CB
22
0
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
00
15
4
5
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
16
5
6
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
0
22
13
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
16
5
6
172.17.63.101 set
HMAC_MD5+DES_56_CB
15
4
5
0
IPSec-DS.050300
30
15
Backup Peer
Problemcan lose connectivity
Both IPSec connections are available
Remote peer sends packets back on last IPSec tunnel
to receive packets
If packets are sent to IPSec peer that cannot do final
delivery then connectivity is lost
Connectivity is only restored when a packet is received
from IPSec peer that can do final delivery
SolutionScenario 3: interconnect link

Add a connection between HSRP routers so that they
have an alternate path for final delivery
2402
1187_05_2000_c2
31
Scenario 3:
Interconnect Link
HSRP routers initiate separate IPSec tunnels with remote peer
Packets can be encrypted over either IPSec tunnel
Remote peer sends back over last used IPSec tunnel
Interconnect link is not used
After HSRP failover

Both IPSec tunnels still available
Remote peer may still send encrypted packets to Rh1
Rh1 does final delivery via Rh2 over the interconnect link
Return packet goes via Rh2 to remote peer
Remote peer now sends via IPSec tunnel to Rh2
Interconnect link not used until another failover
2402
1187_05_2000_c2
IPSec-DS.050300
32
16
Interconnect Link
HSRP Router Rh1
interface Ethernet2
ip address 172.17.63.34 255.255.255.224
no shutdown
!
ip route 172.17.63.64 255.255.255.224 172.17.63.33
Interconnect Link
HSRP Router Rh2
Static Route
interface Ethernet2
ip address 172.17.63.33 255.255.255.224
no shutdown
!
ip route 172.17.63.64 255.255.255.224 172.17.63.34
2402
1187_05_2000_c2
33
Scenario 3: Topology
HSRP Virtual
172.17.63.94
(.94)
.66
.67
H1
Rh1
.98
Internet
.34
.69
.33
.65
172.17.63.64/27
R3
.199
.101
.1
.21
H2
192.168.24.0/24
Rh2
After IPSec Tunnels Built and Before HSRP Failover
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
4
HMAC_MD5+DES_56_CB
4
0
HMAC_MD5+DES_56_CB
0
4
HMAC_MD5+DES_56_CB
4
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
0
4
4
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
4
172.17.63.101 set HMAC_MD5+DES_56_CB
4
0
IPSec-DS.050300
34
17

HSRP Virtual
172.17.63.94
(.94)
.66
.67
H1
Rh1
.98
Internet
.34
.69
.33
.65
172.17.63.64/27
R3
.199
.1
.21
.101
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
4
5
9
HMAC_MD5+DES_56_CB
4
8
0
HMAC_MD5+DES_56_CB
0
4
HMAC_MD5+DES_56_CB
4
5
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
0
4
8
172.17.63.98 set
HMAC_MD5+DES_56_CB
49
5
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
4
5
172.17.63.101 set HMAC_MD5+DES_56_CB
4
0
35
Scenario 3:
HSRP Failover
HSRP Router Rh1
Rh1#show ip route
C
172.17.63.32/27 is directly connected, Ethernet2
C
C
172.17.63.96/30 is directly connected, Serial0
%LINK-5-CHANGED: Interface Ethernet3, changed state to administratively down
Init
Rh1#show ip route
C
S
172.17.63.64/27 [1/0] via 172.17.63.33
C
HSRP Router Rh2

Active
Rh2#show ip route
C
C
C
2402
1187_05_2000_c2
IPSec-DS.050300
36
18

After HSRP Failover
HSRP Virtual
172.17.63.94
Rh1
.67
.66
H1
.98
Internet
.34
.69
.33
.65
172.17.63.64/27
(.94)
R3
.199
.1
.21
.101
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
9
HMAC_MD5+DES_56_CB
8
9
0
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
00
14
4
5
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
14
5
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
0
9
8
9
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
14
5
172.17.63.101 set
HMAC_MD5+DES_56_CB
14
4
5
0
37

Packet Trace
R3:
IP: s=192.168.24.21 (Ethernet0), d=172.17.63.69 (Ethernet1), g=172.18.24.1, len 84, forward

ICMP type=8, code=0
(Cant see IPSec tunnel packet going out)
Rh1: IP: s=172.18.24.199 (Serial0), d=172.17.63.98 (Serial0), len 136, rcvd 3, proto=50
IP: s=192.168.24.21 (Serial0), d=172.17.63.69 (Ethernet2), g=172.17.63.33, len 84, forward
ICMP type=8, code=0
Rh2: IP: s=192.168.24.21 (Ethernet2), d=172.17.63.69 (Ethernet3), g=172.17.63.69, len 84, forward
ICMP type=8, code=0
IP: s=172.17.63.69 (Ethernet3), d=192.168.24.21 (Serial0), g=172.17.63.102, len 84, forward
ICMP type=0, code=0
R3:
2402
1187_05_2000_c2
IP: s=172.17.63.101 (Ethernet1), d=172.18.24.199 (Ethernet1), len 136, rcvd 3, proto=50

ICMP type=0, code=0
IPSec-DS.050300
38
19

Packet Trace (Cont.)
R3:
Rh2:

ICMP type=8, code=0
IP: s=172.18.24.199 (Serial0), d=172.17.63.101 (Serial0), len 136, rcvd 3, proto=50

IP: s=192.168.24.21 (Serial0), d=172.17.63.69 (Ethernet3), g=172.17.63.69, len 84, forward
ICMP type=8, code=0
IP: s=172.17.63.69 (Ethernet3), d=192.168.24.21 (Serial0), g=172.17.63.102, len 84, forward
ICMP type=0, code=0
R3:
2402
1187_05_2000_c2

ICMP type=0, code=0
39
Interconnect Link
Success
Interconnect link protects from connectivity loss
But
Scenario 2 and 3 can take time to switch over if current
HSRP active router goes down
Very little control over link used by remote peer
SolutionScenario 4: GRE tunnels

Use IPSec and GRE tunnels between remote peer and
HSRP routers
Run a routing protocol to provide failover and control
2402
1187_05_2000_c2
IPSec-DS.050300
40
20
GRE Tunnel Overview

RFC 1701generic routing encapsulation
Tunneling an IP datagram in an IP datagram
Multiprotocol, keys, keepalives, sequencing
Implemented using a virtual interface

Can run routing protocols over tunnel
Point-to-point
Static tunnel destination address
Multipoint
Dynamic tunnel destination address
mapping using NHRP
2402
1187_05_2000_c2
41
Scenario 4:
GRE Tunnels
Separate GRE tunnels are built
Use transport mode IPSec to encrypt GRE tunnel
Run a routing protocol over the tunnels

Routing updates control which tunnels are used
On HSRP router failure or switchover

Use of the GRE tunnel from remote peer to alternate
HSRP router switches when the routing converges
Can be used to IPSec encrypt other protocols

AppleTalk, DECnet, IPX, Multicast IP
2402
1187_05_2000_c2
IPSec-DS.050300
42
21
Scenario 4: GRE Tunnel

Configuration
Remote Peer R3
Use Transport Mode
Crypto Map and GRE

Tunnel for peer RH2
Crypto Map and GRE

Tunnel for peer RH1
2402
1187_05_2000_c2

mode transport
!
set peer 172.17.63.98
match address 110
set peer 172.17.63.101
match address 111
!
interface Tunnel0
ip address 172.17.63.114 255.255.255.252
tunnel source 172.18.24.199
tunnel destination 172.17.63.101
crypto map vpnmap
!
interface Tunnel1
ip address 172.17.63.118 255.255.255.252
crypto map vpnmap
!
access-list 110 permit gre host 172.18.24.199 host 172.17.63.98
43

Configuration
HSRP Router Rh1
Use Transport mode
Crypto Map and GRE

Tunnel for peer RH2
Shutdown cross-link
from Scenario 3
2402
1187_05_2000_c2
crypto ipsec transform-set trans1 esp-null esp-md5-hmac

mode transport
!
set peer 172.18.24.199
match address 110
!
interface Tunnel1
ip address 172.17.63.117 255.255.255.252
crypto map vpnmap
!
Interface Ethernet2
shut
!
IPSec-DS.050300
44
22

Configuration
HSRP Router Rh2
Use Transport mode
Crypto Map and GRE

Tunnel for peer RH2
Shutdown cross-link
from Scenario 3
2402
1187_05_2000_c2

mode transport
!
set peer 172.18.24.199
match address 110
!
interface Tunnel1
ip address 172.17.63.113 255.255.255.252
crypto map vpnmap
!
interface Ethernet2
shut
!
45
Scenario 4: GRE Tunnel RIP

Configuration
Routers Rh1 and Rh2
Routing Protocol
Good Idea to Control

the Routes that Are
Advertised Over
the GRE Tunnels
router rip
version 2
network 172.17.0.0
passive-interface serial0
distribute-list 2 out
!
access-list 2 permit 172.17.63.64
Router R3
router rip
version 2
network 172.17.0.0
network 192.168.24.0
distribute-list 2 out
!
access-list 2 permit 192.168.24.0
2402
1187_05_2000_c2
IPSec-DS.050300
46
23
Scenario 4: GRE Tunnels

HSRP Virtual
172.17.63.94
(.94)
.66
.67
Rh1
.98
Internet
H1
R3
.199
.69
.65
172.17.63.64/27
.1
.21
.101
H2
192.168.24.0/24
Rh2
Routing Protocol Brings Up Tunnels
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
0
1
HMAC_MD5+DES_56_CB
0
0
HMAC_MD5+DES_56_CB
0
0
1
HMAC_MD5+DES_56_CB
0
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
0
0
172.17.63.98 set
HMAC_MD5+DES_56_CB
01
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
0
172.17.63.101 set HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
0
1
0
47
Scenario 4: Routing Tables

Load Balance
Packets over
Both Tunnels
2402
1187_05_2000_c2
Rh1:
Rh2:
R3:
192.168.24.0/24 [120/1] via 172.17.63.118, 00:05:40, Tunnel1

172.17.0.0/16 is variably subnetted, 3 subnets, 2 masks
C
C
C
172.17.63.116/30 is directly connected, Tunnel1
192.168.24.0/24 [120/1] via 172.17.63.114, 00:05:48, Tunnel1

C
C
C

172.17.63.64/27 [120/1] via 172.17.63.117, 00:04:46, Tunnel1
[120/1] via 172.17.63.113, 00:04:07, Tunnel0
C
C
C 172.18.24.0/24 is directly connected, Ethernet1
R
IPSec-DS.050300
48
24

HSRP Virtual
172.17.63.94
(.94)
.66
.67
H1
Rh1
.98
Internet
R3
.199
.69
.65
172.17.63.64/27
.1
.21
.101
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
00
11
1
2
3
HMAC_MD5+DES_56_CB
0
1
5
0
HMAC_MD5+DES_56_CB
0
1
HMAC_MD5+DES_56_CB
0
1
5
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
0
0
1
5
172.17.63.98 set
HMAC_MD5+DES_56_CB
11
13
2
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
0
1
5
172.17.63.101 set HMAC_MD5+DES_56_CB
1
0
49

Packet Trace
Packet Trace on Remote Peer R3
IP: s=192.168.24.21 (Ethernet0), d=172.17.63.69 (Tunnel1), g=172.17.63.117, len 84, forward
ICMP type=8, code=0
IP: s=172.18.24.199 (local), d=172.17.63.98 (Ethernet1), len 112, sending, proto=47
(Cant see IPSec packet going out)
(Cant see GRE tunnel packet coming in)
IP: s=172.17.63.69 (Tunnel1), d=192.168.24.21 (Ethernet0), g=192.168.24.21, len 84, forward
ICMP type=0, code=0

ICMP type=8, code=0
ICMP type=0, code=0
2402
1187_05_2000_c2
IPSec-DS.050300
50
25
Scenario 4:
HSRP Failover
HSRP Router Rh1
%LINK-5-CHANGED: Interface Ethernet3, changed state to administratively down
Init
HSRP Router Rh2

Active
Routing Table on R3
C
R
C
C
C
S*
2402
1187_05_2000_c2

172.17.63.64/27 [120/1] via 172.17.63.113, 00:03:48, Tunnel0
0.0.0.0/0 [1/0] via 172.18.24.1
51

After HSRP Failover
HSRP Virtual
172.17.63.94
Rh1
.67
H1
.66
.98
Internet
R3
.199
.69
172.17.63.64/27
(.94)
.1
.21
.101
.65
H2
192.168.24.0/24
Rh2
2402
1187_05_2000_c2
R3:
ID Interface
63 Ethernet1
64 Ethernet1
66 Ethernet1
67 Ethernet1
IP-Address
172.18.24.199
172.18.24.199
172.18.24.199
172.18.24.199
State
set
set
set
set
Algorithm
Encrypt Decrypt
HMAC_MD5+DES_56_CB
0
12
HMAC_MD5+DES_56_CB
6
0
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
00
12
2
3
HMAC_MD5+DES_56_CB
HMAC_MD5+DES_56_CB
16
6
7
0
Rh1:
ID Interface
12 Serial0
13 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
0
6
12
0
Rh2:
ID Interface
93 Serial0
94 Serial0
IP-Address
State Algorithm
Encrypt Decrypt
172.17.63.101 set HMAC_MD5+DES_56_CB
0
16
6
7
172.17.63.101 set
HMAC_MD5+DES_56_CB
12
2
3
0
IPSec-DS.050300
52
26

Packet Trace
Packet Trace on Remote Peer R3
ICMP type=8, code=0
ICMP type=0, code=0

ICMP type=8, code=0
ICMP type=0, code=0
2402
1187_05_2000_c2
53
GRE Tunnels
IPSEC encrypted GRE tunnels
Can run a routing protocol between local
and remote ends of VPN tunnel
Path selection converges as fast as the
routing protocol
Full control of usage of tunnel and
HSRP routers
IPSec transport mode reduces packet size
as compared with IPSEC tunnel mode
Slightly more complicated configuration

2402
1187_05_2000_c2
IPSec-DS.050300
54
27
IPSec with HSRP

Review
Scenario 1: Simple dual peer (failure)
Configuration problemmatch address the same
Scenario 2: Backup peer (partial success)

Connectivity lost until packet restores connectivity
Scenario 3: Interconnect link (success)

Requires extra interfaces for cross-link
Cannot control path of return packets
Scenario 4: GRE tunnel (full success)

Running routing protocol over tunnels give full
control over tunnel usage
2402
1187_05_2000_c2
55
IPSec with NAT
2402
1187_05_2000_c2
IPSec-DS.050300
56
28
NAT/PAT Overview
Network address translation
Port address translation
Translating local addresses
to global addresses
Dynamic translations
Static translations
Order of operation between

NAT/PAT and IPSec
2402
1187_05_2000_c2
57
Translating Local Addresses

to Global Addresses
Why NAT/PAT
Local private addresses are not
routable and cannot access the Internet
How does NAT/PAT work

Replaces the (private) source address
with a routable internet address
Keeps translations in a table so that
return traffic can be mapped back to
its original source address
2402
1187_05_2000_c2
IPSec-DS.050300
58
29
Translating Local to Global:

Outbound
Inbound Interface
Private Network
10.1.1.0/24
10.1.1.1
Internet
NAT
Outbound Interface
170.10.1.2
10.1.1.2
198.33.219.25
Before NAT
Outbound Packet
NAT
NAT Address
Address Table
Table
170.10.1.251
- - 170.10.1.252
170.10.1.253
170.10.1.254
2402
1187_05_2000_c2
For outbound packets an address

is dynamically allocated from the
NAT Address Table
170.10.1.251 198.33.219.25
After NAT
Outbound Packet
Translation Table
Inside Local
Inside Global
10.1.1.2
- - 170.10.1.251
- - - - - - - - - - -
59
Translating Global to Local:

Inbound
Inbound Interface
Private Network
10.1.1.0/24
10.1.1.1
Internet
NAT
Outbound Interface
170.10.1.2
198.33.219.25
10.1.1.2
After NAT
Return Packet
NAT
NAT Address
Address Table
Table
- - 170.10.1.252
170.10.1.253
170.10.1.254
2402
1187_05_2000_c2
The NAT Address Translation Entry

in the Translation Table is used
to translate return packets
198.33.219.25 170.10.1.251
Before NAT
Return Packet
Translation Table
Inside Local
Inside Global
10.1.1.2
170.10.1.251
- - - - - - - - -
IPSec-DS.050300
60
30
Translating Global to Local:

InboundNo Translation
Inbound Interface
Private Network
10.1.1.0/24
10.1.1.1
Internet
NAT
Outbound Interface
170.10.1.2
198.33.219.25 170.10.1.251
After NAT
Return Packet
After the timeout the NAT Translation

Entry is removed from the Table and
the Address is returned to the Pool
NAT
NAT Address
Address Table
Table
170.10.1.251
- - 170.10.1.252
170.10.1.253
170.10.1.254
2402
1187_05_2000_c2
198.33.219.25 170.10.1.251
Before NAT
Return Packet
Translation Table
Inside Local
Inside Global
10.1.1.2
- - 170.10.1.251
- - - - - - - - - - -
61
Order of Operation between

NAT/PAT and IPSec
Outbound traffic
NAT/PAT happens before IPSec
Inbound traffic
IPSec happens before NAT/PAT
Outbound
Intranet
Inbound Interface
NAT
IPSec
Outbound Interface
2402
1187_05_2000_c2
IPSec-DS.050300
Inbound
Internet
62
31
IPSec with NAT

Scenario 1: No NAT
Only need communication over secure
VPN tunnel
Scenario 2: NAT
Need communication over secure VPN
tunnel and access to the Internet
Scenario 3: NAT with server

Need communication over secure VPN tunnel,
access to the Internet and access to servers
from Internet and over secure VPN tunnel
2402
1187_05_2000_c2
63
Scenario 1: No NAT
Description
VPN clients using private addresses
only need to talk to other private
addresses over a secure tunnel.
Packets are sent over IPSec tunnel
Packets traversing IPSec tunnel do
not need NAT
VPN clients dont have access to

the Internet
2402
1187_05_2000_c2
IPSec-DS.050300
64
32
Scenario 1: No NAT
PrivatePrivate with IPSec
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.3
.1
.3
IPSec Tunnel
10.1.1.2
10.1.2.2
10.1.1.2
10.1.2.2
Inbound Interface
Outbound Interface
Echo Request
NAT
Echo Request
NAT
Not used
Not used
IPSec
10.1.1.0/24 ==> 10.1.2.0/24
Outbound Interface
192.1.1.1
2402
1187_05_2000_c2
192.1.1.1 200.1.1.2
192.1.1.1 200.1.1.2
10.1.1.2
10.1.1.2
10.1.2.2
Echo Request
10.1.2.2
Echo Request
IPSec
10.1.2.0/24 ==> 10.1.1.0/24
Inbound Interface
200.1.1.2
65
Scenario 1: No NAT
PrivatePrivate with IPSec
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.3
.1
.3
IPSec Tunnel
10.1.2.2
10.1.1.2
10.1.2.2
10.1.1.2
Outbound Interface
NAT
Inbound Interface
Echo Reply
Echo Reply
Not used
IPSec
10.1.1.0/24 ==> 10.1.2.0/24
Inbound Interface
192.1.1.1
2402
1187_05_2000_c2
NAT
Not used
200.1.1.2 192.1.1.1
200.1.1.2 192.1.1.1
10.1.2.2
10.1.2.2
10.1.1.2
Echo Reply
10.1.1.2
Echo Reply
IPSec-DS.050300
IPSec
10.1.2.0/24 ==> 10.1.1.0/24
Outbound Interface
200.1.1.2
66
33
Scenario 1: No NAT
Configurations
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
.3
192.1.1.1
Internet
200.1.1.1
.1
.3
IPSec Tunnel

hash md5
set peer 200.1.1.2
match address 101
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
interface Ethernet1
ip address 192.1.1.1 255.255.255.0
crypto map vpnmap
ip route 0.0.0.0 0.0.0.0 192.1.1.2
2402
1187_05_2000_c2

hash md5
set peer 192.1.1.1
match address 101
interface Ethernet0
ip address 10.1.2.1 255.255.255.0
interface Ethernet1
ip address 200.1.1.2 255.255.255.0
crypto map vpnmap
ip route 0.0.0.0 0.0.0.0 200.1.1.1
67
Scenario 1: No NAT
Debugs
IPSec Starting
Create Security
Association
Packets Encrypted
and Decrypted
IPSEC(sa_request): ,
src_proxy=10.1.1.0/255.255.255.0/0/0 (type=4),
dest_proxy=10.1.2.0/255.255.255.0/0/0 (type=4),
protocol=ESP, transform=esp-des esp-md5-hmac ,
lifedur=3600s and 4608000kb,
spi=0x0(0), conn_id=0, keysize=0, flags=0x4004
(sa) sa_dest=192.1.1.1, sa_prot=50,
sa_spi=0xB49231D(189342493),
sa_trans=esp-des esp-md5-hmac , sa_conn_id=20
(sa) sa_dest=200.1.1.2, sa_prot=50,
sa_spi=0x1290F4F(19468111),
sa_trans=esp-des esp-md5-hmac , sa_conn_id=21
#show crypto engine connection active
ID Interface
20 Ethernet1
21 Ethernet1
2402
1187_05_2000_c2
IP-Address St Algorithm
192.1.1.1
set MD5+DES_56
192.1.1.1
set MD5+DES_56
IPSec-DS.050300
Encrypt Decrypt
0
5
5
0
68
34
Scenario 2: NAT
Description
VPN clients using private addresses need to talk
to other private addresses over a secure tunnel
Private address packets are sent over IPSec tunnel
Packets traversing IPSec tunnel do not need NAT
VPN clients need access to the Internet

Private addresses cannot be used to access
the Internet
Private addresses must be translated to valid
Global addresses using NAT
2402
1187_05_2000_c2
69
Scenario 2: NAT
Configuration
Mark NAT Inside and

Outside Interfaces
Translate IP Source
10.1.1.0 - 10.1.1.255 to
192.1.1.20 - 192.1.1.24
2402
1187_05_2000_c2

!
crypto ipsec transform-set vpntrans esp-des esp-md5-hmac
!
set peer 200.1.1.2
set transform-set vpntrans
match address 100
!
interface Ethernet0
ip address 192.1.1.1 255.255.255.0
ip nat outside
crypto map vpnmap
!
interface Ethernet1
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip nat pool p-name 192.1.1.20 192.1.1.24 netmask 255.255.255.0
ip nat inside source list 1 pool p-name
ip route 0.0.0.0 0.0.0.0 192.1.1.2
access-list 1 permit 10.1.1.0 0.0.0.255
IPSec-DS.050300
70
35
Scenario 2: NAT
Access to the Internet
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.3
.1
.3
IPSec Tunnel
Inside Interface
NAT
10.1.1.2
192.10.1.1
Echo Request
10.1.1.2 <==> 192.1.1.20
IPSec
192.1.1.20 192.10.1.1
10.1.1.0/24 ==> 10.1.2.0/24
Outside Interface
Echo Request
192.1.1.1
2402
1187_05_2000_c2
O
U
T
B
O
U
N
D
P
A
C
K
E
T
S
192.10.1.1
10.1.1.2
Echo Reply
192.10.1.1 192.1.1.20
Echo Reply
I
N
B
O
U
N
D
P
A
C
K
E
T
S
71
Scenario 2: NAT
Access to the Internet
Packet Trace on NAT Router
NAT: s=10.1.1.2->192.1.1.20, d=192.10.1.1 [10205]
IP: s=192.1.1.20 (Ethernet1), d=192.10.1.1 (Ethernet0), g=192.1.1.2, forward
ICMP type=8, code=0
NAT: s=192.10.1.1, d=192.1.1.20->10.1.1.2 [18087]
IP: s=192.10.1.1 (Ethernet0), d=10.1.1.2 (Ethernet1), g=10.1.1.2, forward
ICMP type=0, code=0
NAT Translation Table

#show ip nat translation
Pro Inside global
Inside local
--- 192.1.1.20
10.1.1.2
2402
1187_05_2000_c2
Outside local
---
IPSec-DS.050300
Outside global
---
72
36
Scenario 2: NAT
Access to VPN Client
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
.3
200.1.1.1
Internet
.1
.3
IPSec Tunnel
10.1.1.3
Inside Interface
NAT
10.1.2.2
Echo Request
10.1.1.3 <==> 192.1.1.21
IPSec
192.1.1.21
10.1.2.2
10.1.1.0/24 ==> 10.1.2.0/24
Outside Interface
Echo Request
192.1.1.1
2402
1187_05_2000_c2
O
U
T
B
O
U
N
D
P
A
C
K
E
T
S
Since NAT happens before IPSec,

the packets wont match the IPSec
access-list and IPSec isnt started.
73
Scenario 2: NAT
Packet DebugsFailure
Debug Output
NAT
Translation
Table
IPSec Tunnels
are not built
NAT: s=10.1.1.3->192.1.1.21, d=10.1.2.2 [10207]

IP: s=192.1.1.21 (Ethernet1), d=10.1.2.2 (Ethernet0), g=192.1.1.2, fwd
ICMP type=8, code=0
NAT: s=10.1.1.3->192.1.1.21,d=10.1.2.2 [10208]
ICMP type=8, code=0
Pro Inside global
Inside local
--- 192.1.1.21
10.1.1.3
--- 192.1.1.20
10.1.1.2
Outside global
-----

ID Interface
2402
1187_05_2000_c2
Outside local
-----
IP-Address St Algorithm
IPSec-DS.050300
Encrypt Decrypt
74
37
Scenario 2: NAT
The Solution
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
Internet
.3
200.1.1.1
.1
.3
IPSec Tunnel
We need to add NAT rules that say if the source and the destination address match the IPSec proxy
dont do NAT
else
do NAT
ip nat inside source route-map nonat pool p-name
access-list 110 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip 10.1.1.0 0.0.0.255 any
route-map nonat permit 10
match address 110
2402
1187_05_2000_c2
75
Scenario 2: NAT
Fixed Configuration
crypto ipsec transform-set vpntrans esp-des esp-md5-hmac
set peer 200.1.1.2
match address 100
interface Ethernet0
ip address 192.1.1.1 255.255.255.0
ip nat outside
crypto map vpnmap
Need to use route-map

and access-list to deny
only NAT Internet
bound traffic.
interface Ethernet1
ip address 10.1.1.1 255.255.255.0
ip nat inside
match ip address 110
2402
1187_05_2000_c2
IPSec-DS.050300
76
38
Scenario 2: NAT
Packet Flow
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.3
.1
.3
IPSec Tunnel
10.1.1.2
10.1.2.2
10.1.1.2
10.1.2.2
Inside Interface
Inside Interface
Echo Request
Echo Request
NAT
NAT
Use rules below
Not used
IPSec
10.1.1.0/24 ==> 10.1.2.0/24
Outside Interface
192.1.1.1
192.1.1.1 200.1.1.2
192.1.1.1 200.1.1.2
10.1.1.2
10.1.1.2
10.1.2.2
Echo Request
10.1.2.2
Echo Request
IPSec
10.1.2.0/24 ==> 10.1.1.0/24
Outside Interface
200.1.1.2
if src and dest address

match the IPSec proxy
dont do NAT
else
do NAT
2402
1187_05_2000_c2
77
Scenario 2: NAT
Return Packet Flow
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.3
.1
.3
IPSec Tunnel
10.1.2.2
10.1.1.2
10.1.2.2
10.1.1.2
Inside Interface
Inside Interface
Echo Reply
Echo Reply
NAT
NAT
Use rules below
Not used
IPSec
10.1.1.0/24 ==> 10.1.2.0/24
Outside Interface
192.1.1.1
200.1.1.2 192.1.1.1
200.1.1.2 192.1.1.1
10.1.2.2
10.1.2.2
10.1.1.2
Echo Reply
10.1.1.2
Echo Reply
IPSec
10.1.2.0/24 ==> 10.1.1.0/24
Outside Interface
200.1.1.2
if src and dest address

match the IPSec proxy
dont do NAT
else
do NAT
2402
1187_05_2000_c2
IPSec-DS.050300
78
39
Scenario 2: NAT
Packet TraceSuccess
ICMP type=8, code=0
ICMP type=0, code=0
ICMP type=8, code=0
ICMP type=0, code=0
ID Interface
6 Ethernet0
7 Ethernet0
2402
1187_05_2000_c2
IP-Address
192.1.1.1
192.1.1.1
State Algorithm
Encrypt Decrypt
0
2
2
0
79
Scenario 3: NAT with Server

Description
VPN clients need to talk over secure tunnel
Packets traversing IPSec tunnel do not need NAT
VPN Clients need access to the Internet

NAT is used to translate Private addresses
Internet users and VPN client users must

be able to get to servers that are also part
of the VPN
Internet to internal server requires NAT
VPN client to internal server doesnt require NAT
2402
1187_05_2000_c2
IPSec-DS.050300
80
40

Configuration
set peer 200.1.1.2
match address 100
!
interface Ethernet0
ip address 192.1.1.1 255.255.255.0
ip nat outside
crypto map vpnmap
!
interface Ethernet1
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static 10.1.1.10 192.1.1.10
ip route 0.0.0.0 0.0.0.0 200.1.1.2
!
!
Added Static NAT

statement for access
to inside server
2402
1187_05_2000_c2
81

Server to Internet
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
.10
192.1.1.1
200.1.1.1
Internet
.1
.3
IPSec Tunnel
The server at 10.1.1.10 must access the internet.

Because of the static NAT entry it will always have the outside
global address 192.1.1.10 so return routing will work.
Inside Interface
10.1.1.10 192.10.1.1
NAT
Echo Request
10.1.1.10 <==> 192.1.1.10
IPSec
192.1.1.10 192.10.1.1
10.1.1.0/24 ==> 10.1.2.0/24
Outside Interface
192.1.1.1
2402
1187_05_2000_c2
Echo Request
O
U
T
B
O
U
N
D
P
A
C
K
E
T
S
IPSec-DS.050300
192.10.1.1 10.1.1.10
Echo Reply
192.10.1.1 192.1.1.10
Echo Reply
I
N
B
O
U
N
D
P
A
C
K
E
T
S
82
41

Internet to Server
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.10
.1
.3
IPSec Tunnel
The Internet user at 192.10.1.1 will use the outside global

address, 192.1.1.10, to access the server at 10.1.1.10
and this will work because of the static NAT entry.
Inside Interface
10.1.1.10 192.10.1.1
NAT
Echo Reply
10.1.1.10 <==> 192.1.1.10
IPSec
192.1.1.10 192.10.1.1
10.1.1.0/24 ==> 10.1.2.0/24
Outside Interface
Echo Reply
192.1.1.1
2402
1187_05_2000_c2
O
U
T
B
O
U
N
D
P
A
C
K
E
T
S
192.10.1.1 10.1.1.10
Echo Request
192.10.1.1 192.1.1.10
Echo Request
I
N
B
O
U
N
D
P
A
C
K
E
T
S
83
Scenario 3: Packet Trace

Internet to Server
Packet Trace on NAT Router
NAT*: s=192.10.1.1, d=192.1.1.10->10.1.1.10 [6187]
ICMP type=8, code=0
NAT: s=10.1.1.10->192.1.1.10, d=192.10.1.1 [10240]
ICMP type=0, code=0
NAT Translation Table

Pro Inside global
Inside local
--- 192.1.1.10
10.1.1.10
2402
1187_05_2000_c2
Outside local
---
IPSec-DS.050300
Outside global
---
84
42

Server to VPN Client
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.10
.1
.3
IPSec Tunnel
This is where we run into problems. The outbound packets will

be NATted, because of the static NAT command. So once again
this traffic will not match the IPSec proxy and start the tunnel.
Inside Interface
NAT
10.1.1.10
O
U
T
B
O
U
N
D
10.1.2.2
Echo Request
10.1.1.10 <==> 192.1.1.10
IPSec
192.1.1.10
P
A
C
K
E
T
S
10.1.2.2
10.1.1.0/24 ==> 10.1.2.0/24
Outside Interface
Echo Request
192.1.1.1
2402
1187_05_2000_c2
85

VPN Client to Server
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
200.1.1.1
Internet
.10
.1
.3
IPSec Tunnel
The packets come in through the IPSec tunnel with a source of

10.1.2.2 and a destination of 10.1.1.10. NAT doesnt apply since the
destination address is not 192.1.1.10, packet is delivered to Server
10.1.2.2 10.1.1.10
10.1.2.2 10.1.1.10
Echo Request
Echo Request
Inside Interface
Inbound Interface
NAT
NAT
10.1.1.10 <==> 192.1.1.10
Nat not used
IPSec
200.1.1.2 192.1.1.1
200.1.1.2 192.1.1.1
IPSec
10.1.1.0/24 ==> 10.1.2.0/24
10.1.2.2 10.1.1.10
10.1.2.2 10.1.1.10
10.1.2.0/24 ==> 10.1.1.0/24
Echo Request
Echo Request
Outside Interface
192.1.1.1
2402
1187_05_2000_c2
IPSec-DS.050300
Outbound Interface
200.1.1.2
86
43

VPN Client to Server (Cont.)
192.10.1.1
10.1.1.0/24
10.1.2.0/24
.2
.2
.1
192.1.1.1
.10
200.1.1.1
Internet
.1
.3
IPSec Tunnel
After NAT, the return packet will have a source of the static 192.1.1.10
and a destination of 10.1.2.2, once again not matching the IPSec proxy,
so the return traffic will not go back into the IPSec tunnel.
10.1.1.10
Inside Interface
NAT
10.1.2.2
Echo Reply
10.1.1.10 <==> 192.1.1.10
IPSec
192.1.1.10
10.1.2.2
10.1.1.0/24 ==> 10.1.2.0/24
Outside Interface
Echo Reply
192.1.1.1
2402
1187_05_2000_c2
O
U
T
B
O
U
N
D
P
A
C
K
E
T
S
87

ICMP type=8, code=0
NAT: s=10.1.1.10->192.1.1.10, d=10.1.2.2 [10248]
ICMP type=0, code=0
ICMP type=8, code=0
NAT: s=10.1.1.10->192.1.1.10, d=10.1.2.2 [10249]
ICMP type=0, code=0
ID Interface
3 Ethernet0
4 Ethernet0
2402
1187_05_2000_c2
IP-Address
192.1.1.1
192.1.1.1
State Algorithm
Encrypt Decrypt
0
2
0
0
IPSec-DS.050300
88
44
Scenario 3:
NAT with Server Solution
We still need the NAT configuration
statements described in previous slides
to allow internet access
Because of the static NAT entry we now
need more complex rules
If the IP source matches the static and
the IP destination matches the IPSec proxy
Then use a policy route-map to route packet
via a loopback interface to bypass NAT
2402
1187_05_2000_c2
89

Working Configuration
Add loopback interface
to use to bypass NAT.
Add Policy routing to

select data packets
to bypass NAT.
2402
1187_05_2000_c2
interface Loopback1
ip address 10.0.0.1 255.255.255.252
!
interface Ethernet0
ip address 192.1.1.1 255.255.255.0
ip nat outside
crypto map test
!
interface Ethernet1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip route-cache policy
ip policy route-map rmap
!
ip nat pool p-name 192.1.1.20 192.1.1.23 prefix-length 24
ip nat inside source static 10.1.1.10 192.1.1.10
ip route 0.0.0.0 0.0.0.0 192.1.1.2
access-list 120 permit ip host 10.1.1.10 10.1.2.0 0.0.0.255
route-map rmap permit 10
set ip next-hop 10.0.0.2
IPSec-DS.050300
90
45
Scenario 3: Fixed
192.10.1.1
10.1.1.0/24
10.1.2.0/24
10.0.0.0/30
.2
.2
.1
.1
192.1.1.1
200.1.1.1
Internet
.10
.1
.3
IPSec Tunnel
The packets come in through the IPSec tunnel with a source of

10.1.2.2 and a destination of 10.1.1.10. NAT doesnt apply since the
destination address is not 192.1.1.10, packet is delivered to Server
10.1.2.2 10.1.1.10
10.1.2.2 10.1.1.10
Echo Request
Echo Request
Inside Interface
Inbound Interface
NAT
NAT
10.1.1.10 <==> 192.1.1.10
Nat not used
IPSec
200.1.1.2 192.1.1.1
200.1.1.2 192.1.1.1
IPSec
10.1.1.0/24 ==> 10.1.2.0/24
10.1.2.2 10.1.1.10
10.1.2.2 10.1.1.10
10.1.2.0/24 ==> 10.1.1.0/24
Echo Request
Echo Request
Outside Interface
192.1.1.1
2402
1187_05_2000_c2
Outbound Interface
200.1.1.2
91
Scenario 3: Fixed
VPN Client to Server (Cont.)
192.10.1.1
10.1.1.0/24
10.1.2.0/24
10.0.0.0/30
.2
.2
.1
.1
192.1.1.1
200.1.1.1
Internet
.10
.1
.3
IPSec Tunnel
Policy routing will route the return packet through the loopback, the packet will then
come back to the router on the loopback and be normally routed out ethernet0
NAT will not be invoked since the loopback is not marked as a NAT interface.
10.1.1.10 10.1.2.2
10.1.1.10 10.1.2.2
Echo Reply
Echo Reply
Inside Interface
Outbound Interface
NAT
NAT
10.1.1.10 <==> 192.1.1.10
Nat not used
IPSec
192.1.1.1 200.1.1.2
192.1.1.1 200.1.1.2
IPSec
10.1.1.0/24 ==> 10.1.2.0/24
10.1.1.10 10.1.2.2
10.1.1.10 10.1.2.2
10.1.2.0/24 ==> 10.1.1.0/24
Echo Reply
Echo Reply
Outside Interface
192.1.1.1
2402
1187_05_2000_c2
IPSec-DS.050300
Inbound Interface
200.1.1.2
92
46
Scenario 3: Fixed
ICMP type=8, code=0
IP: s=10.1.1.10 (Ethernet1), d=10.1.2.2, len 84, policy match
ICMP type=0, code=0
IP: route map nonat, item 10, permit
IP: s=10.1.1.10 (Ethernet1), d=10.1.2.2 (Loopback1), len 84, policy routed
ICMP type=0, code=0
IP: s=10.1.1.10 (Ethernet1), d=10.1.2.2 (Loopback1), g=10.0.0.2, len 84, forward
ICMP type=0, code=0
IP: s=10.1.1.10 (Loopback1), d=10.1.2.2 (Ethernet0), g=192.1.1.2, len 84, forward
ICMP type=0, code=0
ID Interface
12 Ethernet0
13 Ethernet0
2402
1187_05_2000_c2
IP-Address
192.1.1.1
192.1.1.1
State Algorithm
Encrypt Decrypt
0
1
1
0
93
IPSec with NAT

Review
Scenario 1: No NAT
NAT not involved so standard IPSec works fine
Scenario 2: NAT
Configure NAT to not encrypt traffic that matches the
IPSec proxy
Scenario 3: NAT with server

Configuring NAT to not encrypt traffic that matches the
IPSec proxy is not sufficient
Need to also use Policy Routing to route packets
from Server to VPN clients via a loopback interface
to bypass NAT
2402
1187_05_2000_c2
IPSec-DS.050300
94
47
Advanced IPSec
Session 2402
2402
1187_05_2000_c2
95
Please Complete Your

Evaluation Form
Session 2402
2402
1187_05_2000_c2
IPSec-DS.050300
96
48
2402
1187_05_2000_c2
IPSec-DS.050300
97
49

2402

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

2402

Загружено:

Авторское право:

Доступные форматы

Course

2000, Cisco Systems, Inc.

2000, Cisco Systems, Inc.

Simple IPSec configuration

Initiating the IPSec Session

2000, Cisco Systems, Inc.

Initiating the IPSec Session

2000, Cisco Systems, Inc.

2000, Cisco Systems, Inc.

2000, Cisco Systems, Inc.

Simple IPSec Configuration

crypto isakmp policy 1

crypto isakmp policy 1

2000, Cisco Systems, Inc.

IPSec with HSRP

2000, Cisco Systems, Inc.

2000, Cisco Systems, Inc.

HSRP Example Configuration

2000, Cisco Systems, Inc.

HSRP Example in Action

2000, Cisco Systems, Inc.

IPSec with HSRP

2000, Cisco Systems, Inc.

IPSec with HSRP

2000, Cisco Systems, Inc.

After HSRP failover

2000, Cisco Systems, Inc.

crypto isakmp policy 1

2000, Cisco Systems, Inc.

crypto isakmp policy 1

2000, Cisco Systems, Inc.

crypto isakmp policy 1

2000, Cisco Systems, Inc.

HSRP Router Rh1

IPSEC(validate_proposal_request): proposal part #1,

# show crypto engine connection active

# show crypto engine connection active

2000, Cisco Systems, Inc.

HSRP Router Rh1

HSRP Router Rh2

2000, Cisco Systems, Inc.

HSRP Router Rh2

IPSEC(validate_proposal_request): proposal part #1,

ISAKMP (290): processing NOTIFY payload 14 proto 3

ISAKMP: IPSec policy invalidated proposal

2000, Cisco Systems, Inc.

SolutionScenario 2: backup peer

2000, Cisco Systems, Inc.

After HSRP failover

2000, Cisco Systems, Inc.

2 Crypto Map Entries

Remote Peer R3New

1 Crypto Map Entry

2000, Cisco Systems, Inc.

HSRP Router Rh1

IPSEC(validate_proposal_request): proposal part #1,

# show crypto engine connection active

# show crypto engine connection active

2000, Cisco Systems, Inc.

HSRP Router Rh2

IPSEC(validate_proposal_request): proposal part #1,

# show crypto engine connection active

# show crypto engine connection active

2000, Cisco Systems, Inc.