GRE IPSec tunnel. VPN LED is on... but no access

[creeping666]

I am trying to setup a GRE IPSec tunnel between two sites.

Note. WAN IP are made up. hense the 259....

Site 1
======
cisco 877 with Advanced IP Services
VLAN1=172.16.0.0 / 16

Site 2
======
cisco 877 with Advanced IP Services
VLAN1=192.168.30.0 / 24

The VPN LED on the 877's light up after I enter the below configuration, but I can not access anything through the tunnel.
Any ideas on what I am doing wrong?

I am using the cisco based firewall, would that be stopping my pings etc from working? If so, would I only need to setup a zone pairs between:
VLAN1 -> GRE-TUNNEL and GRE-TUNNEL -> VLAN1?
Which I think I have tried already with no luck. Thought I might be able to troubleshoot it without adding the zone commands.

Thanks.

Site 1 config.

access-list 120 permit gre host 198.90.45.16 host 259.39.102.19
!
crypto map VPN-GRE 1 ipsec-isakmp
 set transform-set AES-SHA
 set peer 259.39.102.19
 match address 120
exit
!
interface Dialer0
 crypto map VPN-GRE
exit
!
interface Tunnel0
exit
!
default interface Tunnel0
!
interface Tunnel0
 ip mtu 1420
 no shutdown
 ip address 10.1.1.1 255.255.255.0
 crypto map VPN-GRE
 tunnel source Dialer0
 tunnel destination 259.39.602.739
exit
!
router rip
 version 2
 no auto-summary
 network 172.16.0.0
 network 10.0.0.0
exit
!
crypto isakmp key ^&9036gre4327!# address 259.39.102.19
!
ip access-list extended NAT
 deny   ip 172.16.0.0 0.0.255.255 192.168.30.0 0.0.0.255
 permit ip 172.16.0.0 0.0.255.255 any
!
ip nat inside source list NAT interface Dialer0 overload

Site 2 config.

access-list 120 permit gre host 259.39.102.19 host 198.90.45.16
!
crypto map VPN-GRE 1 ipsec-isakmp
 set transform-set AES-SHA
 set peer 198.90.45.16
 match address 120
exit
!
interface Dialer0
 crypto map VPN-GRE
exit
!
interface Tunnel0
exit
!
default interface Tunnel0
!
interface Tunnel0
 ip mtu 1420
 no shutdown
 ip address 10.1.1.2 255.255.255.0
 crypto map VPN-GRE
 tunnel source Dialer0
 tunnel destination 198.90.45.16
exit
!
router rip
 version 2
 no auto-summary
 network 192.168.30.0
 network 10.0.0.0
exit
!
crypto isakmp key ^&9036gre4327!# address 198.90.45.16
!
!
ip access-list extended NAT
 deny   ip 192.168.30.0 0.0.0.255 172.16.0.0 0.0.255.255 
 permit ip 192.168.30.0 0.0.0.255 any
!
ip nat inside source list NAT interface Dialer0 overload

 

[burtsbees]

1. Take the crypto maps off the dialer interfaces

2. Where is acl 120 in both routers?

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[creepingdeath]

Cool, I will try that tonight. As for for the 120, not sure what you you mean... so far its in the crypto map VPN-GRE section.
Are you implying it should be somewhere else, its in the worong place?

crypto map VPN-GRE 1 ipsec-isakmp
 set transform-set AES-SHA
 set peer 198.90.45.16
 [COLOR=red]match address 120[/color]
exit

 

[creeping666]

Ok, no luck removing 'crypto map VPN-GRE' from the Dialer 0 interface. But once again as soon as I add 'crypto map VPN-GRE' back to the interface the VPN LED lights up with no access through the tunnel.

Any other ideas?

 

[burtsbees]

Ypou need an acl 120 for interesting traffic (to be encrypted) or what is called a crypto acl.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[creeping666]

Right, thanks people. Got the GRE tunnel up and working! Not sure if I should tack this next bit onto this thread, but since some of my config is already above....

How on earth do I secure who can access the tunnel?

site1 site2
===== =====
VLAN1 172.16.0.0 / 16 VLAN1 192.168.30.0 / 24
VLAN24 172.24.0.0 / 16 VLAN17 172.17.0.0 / 16
VLAN26 172.26.0.0 / 16 VLAN18 172.18.0.0 / 16
VLAN28 172.28.0.0 / 16 VLAN19 172.19.0.0 / 16

I have noticed that the VLAN's can not communicate over the tunnel until I add the network to RIP.
The thing I do not get is... I am using the zone based firewall and the tunnel interface is not in a zone, but VLAN1 is. Hense they should not be able to talk to one another?
I even tried adding the following to secure access to the tunnel:

interface VLAN 1
 zone-member security VLAN1
exit
!
interface tunnel 0
 zone-member security GRE_TUNNEL-TO-SITE2
exit
!
policy-map type inspect VLANS-TO-GRE_TUNNEL-SITE2
 class class-default
  drop
 exit
exit
!
zone-pair security VLAN1-TO-GRE_TUNNEL-SITE2 source VLAN1 destination GRE_TUNNEL-SITE2
 service-policy type inspect VLANS-TO-GRE_TUNNEL-SITE2
exit

But I stll have full access throught the tunnel, is it because the tunnel is bound to the Dialer0 interface or something? For some reason the zones do not work the normal way with the tunnel interface. Are there any best practices for using zones with a tunnel?
eg. Should the tunnel even be in a zone? In a zone by its self?

Every cisco document online I seem to find does not include examples using the zone based firewall, only with plain access lists.

Thanks.

 

[burtsbees]

You don't need to protect or inspect the tunnel traffic---it is being encrypted.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[creeping666]

Sorry, I should have been more clear, I want to restrict what VLAN's can access the GRE tunnel. Easy VPN server example below.

Easy VPN clients do not have any access to my VLAN's until I do the following:

zone security VLAN1
zone security EASYVPN

policy-map type inspect PERMIT_IP
 class type inspect IP
  pass
 class class-default
  drop log
!
zone-pair security VLAN1-TO-EASYVPN source VLAN1 destination EASYVPN
 service-policy type inspect PERMIT_IP
zone-pair security INTERNET-TO-EASYVPN source INTERNET destination EASYVPN
 service-policy type inspect PERMIT_IP
zone-pair security EASYVPN-TO-INTERNET source EASYVPN destination INTERNET
 service-policy type inspect PERMIT_IP
zone-pair security EASYVPN-TO-VLAN1 source EASYVPN destination VLAN1
 service-policy type inspect PERMIT_IP

The same does not seem to apply for restricting access through the tunnel.

If I:

1. Don't put the tunnel0 interface in a ZONE. All VLAN's have acess through the tunnel.

2. Put tunnel0 interface in a ZONE and apply a policy-map to stop all access. All VLAN's have acess through the tunnel.

The only way to stop VLAN's getting access is to not put in a routing entry for the routing protocol I am using. Which is obviously not the best way, as I would like a more granular way to restring traffic using class maps.

I thought by adding the config below, it would stop all access from VLAN1 through the tunnel, but it dosen't:

interface VLAN 1
 zone-member security VLAN1
exit
!
interface tunnel 0
 zone-member security GRE_TUNNEL-TO-SITE2
exit
!
policy-map type inspect VLANS-TO-GRE_TUNNEL-SITE2
 class class-default
  drop
 exit
exit
!
zone-pair security VLAN1-TO-GRE_TUNNEL-SITE2 source VLAN1 destination GRE_TUNNEL-SITE2
 service-policy type inspect VLANS-TO-GRE_TUNNEL-SITE2
exit

Any ideas on why this behaviour occurs, the only difference
between the easy VPN and tunnel example I can think of is the tunnel0 interface is bound to another interface (Dialer0) which is in another ZONE (INTERNET).