[c-nsp] IPSEC - CISCO (GRE and NAT too!)

Jorge Evangelista netsecuredata at gmail.com
Sun Nov 5 17:53:43 EST 2006 

You can configure easily a  IPsec VPN Tunnel between Cisco and Freebsd
with pfSense, it is build over Freebsd  6.
http://www.pfsense.com/index.php?id=27


On 11/5/06, Tuc at T-B-O-H.NET <ml at t-b-o-h.net> wrote:
> > >     2) In your example you have both the GRE and the IPSEC on the
> > >outside interface. In the example I'm looking at otherwise
> > >
> > >http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml
> >
> > The example is complicated and confusing, because it introduces IPX and
> > a PIX. I wouldnt use this as a starting or reference point.
> >
>        I was using it only because there was NAT in the mix for me. It
> looks like as I learn more about everything, that their example doesn't
> really address everything about the NAT that I wanted for my situation.
> They are playing at the PIX with things that I can't do in my
> situation.
> >
> > >     They have the IPSEC on the outside interfaces, and Tunnel from
> > >the inside interfaces. Is there any differences between one versus the
> > >other, or does it change how it does things? I need the IPSec as the
> > >outer layer, and the GRE as the inner layer because I am dealing with
> > >NAT.
> >
> > Hm, not sure at what point you apply NAT, but my example does exactly
> > what you need. Traffic from 192.168.10.0/24 and 192.168.20.0/24 is
> > encapsulated into a GRE tunnel first and then the GRE tunnel is
> > encrypted in IPSec and send out to the opposite IPSec peer.
> >
>        Thats what I need, to a point. *I* am not applying NAT, its
> being thrust upon me... And for the time being, while in testing, I'm
> getting NAT'd again.
> >
> > In older IOS versions you had to apply the crypto map to both the GRE
> > tunnel and the outgoing interface. i never had to configure this with
> > newer IOS versions (12.3+) - the crypto map goes only to the outside
> > interface.
> >
> > The example you are referring to has the crypto map applied to both
> > interfaces, maybe this confuses you.
> >
>        It did originally, but as I talk and get more example I'm
> starting to understand. They even have the warning up top about that.
>
>        I've decided to provide a few visual (If not abysmal) aides.
> (As for the fonts/etc... I'm no graphic artist, and I had to deal with
> what I was given.
>
>        http://www.tucs-beachin-obx-house.com/NYNJ1.jpg
>
>        This is a simulated environment. In here, I can forward
> the public IP over the OpenVPN link and make my laptop the router
>
>
>        http://www.tucs-beachin-obx-house.com/NYNJ2.jpg
>
>        This is the 2nd simulated environment. In here, I can
> see the effects of being behind NAT (Ok, don't kill me for
> not using RFC1918 addresses. This is an unfortunate requirement
> of the other person I live with and her companies stupidity
> with using VPN).
>
>
>        http://www.tucs-beachin-obx-house.com/NYNC1.jpg
>
>        This will be production version one, where I test
> everything out for a few months to make sure its stable and
> working properly.
>
>
>        http://www.tucs-beachin-obx-house.com/NYNC2.jpg
>
>        This will be production, and probably final version.
>
>
>
>        So this is why I have to deal with NAT and why I've
> had a few stumbling blocks.
>
>        Any comments are of course welcome!
>
>                Tuc
>
>        (PS - I found you can run UCLinux on a 2500 series,
> I might just put that in with OpenVPN and be sitting pretty
> too. ;) )
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


-- 
"The network is the computer"

More information about the cisco-nsp mailing list