[c-nsp] IPSEC - CISCO (GRE and NAT too!)

Sun Nov 5 15:24:52 EST 2006

> >	2) In your example you have both the GRE and the IPSEC on the
> >outside interface. In the example I'm looking at otherwise
> >
> >http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml
> 
> The example is complicated and confusing, because it introduces IPX and
> a PIX. I wouldnt use this as a starting or reference point. 
>
	I was using it only because there was NAT in the mix for me. It
looks like as I learn more about everything, that their example doesn't
really address everything about the NAT that I wanted for my situation.
They are playing at the PIX with things that I can't do in my
situation.
> 
> >	They have the IPSEC on the outside interfaces, and Tunnel from
> >the inside interfaces. Is there any differences between one versus the
> >other, or does it change how it does things? I need the IPSec as the
> >outer layer, and the GRE as the inner layer because I am dealing with
> >NAT.
> 
> Hm, not sure at what point you apply NAT, but my example does exactly
> what you need. Traffic from 192.168.10.0/24 and 192.168.20.0/24 is
> encapsulated into a GRE tunnel first and then the GRE tunnel is
> encrypted in IPSec and send out to the opposite IPSec peer.
>
	Thats what I need, to a point. *I* am not applying NAT, its
being thrust upon me... And for the time being, while in testing, I'm
getting NAT'd again.
> 
> In older IOS versions you had to apply the crypto map to both the GRE
> tunnel and the outgoing interface. i never had to configure this with
> newer IOS versions (12.3+) - the crypto map goes only to the outside
> interface.
> 
> The example you are referring to has the crypto map applied to both
> interfaces, maybe this confuses you.
> 
	It did originally, but as I talk and get more example I'm 
starting to understand. They even have the warning up top about that.

	I've decided to provide a few visual (If not abysmal) aides.
(As for the fonts/etc... I'm no graphic artist, and I had to deal with
what I was given. 

	http://www.tucs-beachin-obx-house.com/NYNJ1.jpg

	This is a simulated environment. In here, I can forward
the public IP over the OpenVPN link and make my laptop the router


	http://www.tucs-beachin-obx-house.com/NYNJ2.jpg

	This is the 2nd simulated environment. In here, I can
see the effects of being behind NAT (Ok, don't kill me for 
not using RFC1918 addresses. This is an unfortunate requirement
of the other person I live with and her companies stupidity
with using VPN).

	
	http://www.tucs-beachin-obx-house.com/NYNC1.jpg

	This will be production version one, where I test
everything out for a few months to make sure its stable and
working properly. 


	http://www.tucs-beachin-obx-house.com/NYNC2.jpg

	This will be production, and probably final version.


	So this is why I have to deal with NAT and why I've
had a few stumbling blocks.

	Any comments are of course welcome!

		Tuc

	(PS - I found you can run UCLinux on a 2500 series,
I might just put that in with OpenVPN and be sitting pretty
too. ;) )