ACL: dmvpn crypto

Need some clarification on the necessary ACL entries to cover only DMVPN crypto.

I thought I had this solid, but apparently not.   I can do more lab'ing on this to figure it out, but I am try to wrap up the finish for the lab.

Any help is appreciated.  Thanks!

 

Below, I thought that it was sufficient to allow only ports 500 (isakmp) and 4500 (non500-isakmp)

But....I could not get it to work.  Then I added the ESP entry, and the tunnel came up.  

 

interface f0/0
      ip access-group TEST_IN in
     
ip access-list TEST_IN  
    10 permit udp any any eq isakmp (68 matches)
    11 permit udp any any eq non500-isakmp
    15 permit esp any any (11 matches)

Comments

  • To my understanding 4500 is used with NAT-T for ISAKMP and 500 is the standard port for ISAKMP. ESP is protocol 50. So you were originally allowing just Phase 1 through and not phase 2 since phase 2 is where ESP is applied. If your not NATing then non 500 isn't needed, as far as I know. Allowing both isakmp and esp through should allow the crypto tunnels to come up. 

    HTH
    Rob


    On Friday, January 30, 2015 11:55 AM, JoeM <[email protected]> wrote:


    Need some clarification on the necessary ACL entries to cover only DMVPN crypto.

    I thought I had this solid, but apparently not.   I can do more lab'ing on this to figure it out, but I am try to wrap up the finish for the lab.

    Any help is appreciated.  Thanks!

     

    Below, I thought that allowing only ports 500 (isakmp) and 4500 (non500-isakmp)

    But....I could not get it to work.  Then I added the ESP entry, and the tunnel came up.  

     

    interface f0/0
          ip access-group TEST_IN in
         
    ip access-list TEST_IN  
        10 permit udp any any eq isakmp (68 matches)
        11 permit udp any any eq non500-isakmp
        15 permit esp any any (11 matches)




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx


  • JoeMJoeM ✭✭✭


    To my understanding 4500 is used with NAT-T for ISAKMP and 500 is the standard port for ISAKMP. ESP is protocol 50. So you were originally allowing just Phase 1 through and not phase 2 since phase 2 is where ESP is applied. If your not NATing then non 500 isn't needed, as far as I know. Allowing both isakmp and esp through should allow the crypto tunnels to come up. 



    HTH

    Rob

    Okay.  that makes sense.  Now that I have something to work with, I will lab it -- to see it work and quicker on the implementation/debugs.   ;-)

    Thanks for such a quick-response Rob.   Very much appreciated.

  • No problem man, you've helped me out before. BTW I was able to get that BGP over DMVPN thing to work, Brians VRF aware DMVPN is one solution with multiple VRFs. the other was to remove BGP as the underlay and just use a default route to the ISP connections. iBGP over DMVPN is cake with the listen command.




    On Friday, January 30, 2015 12:55 PM, JoeM <[email protected]> wrote:


    image rriker:

    To my understanding 4500 is used with NAT-T for ISAKMP and 500 is the standard port for ISAKMP. ESP is protocol 50. So you were originally allowing just Phase 1 through and not phase 2 since phase 2 is where ESP is applied. If your not NATing then non 500 isn't needed, as far as I know. Allowing both isakmp and esp through should allow the crypto tunnels to come up. 



    HTH

    Rob

    Okay.  that makes sense.  Now that I have something to work with, I will lab it -- to see it work and quicker on the implementation/debugs.   ;-)

    Thanks for such a quick-response ROB!!!!   Very much appreciated.



    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx


  • I have added a capture for Wireshark which shows ISAKMP negotiation and ESP encapsulated traffic - http://ieoc.com/members/welshydragon/files/DMVPN_2D00_crypto.zip.aspx

    HTH

     

Sign In or Register to comment.