Then the default behavior has changed. I am not aware of when the change occurred. I have noticed lately a few features working that shouldn't until I finished my configurations and I think some things are there by default without configuration but I cannot provide any further clarification as the results you and I are seeing are different than what is documented and I don't have any further insights beyond test results.
For instance, I have some labs recently that I expect to cause routing loops due to dual points of redistribution but even without tag prevention or prefix filtering the labs just work. It was frustrating when I was teaching an R&S bootcamp expecting to show a problem and not being able to reproduce a problem ;). Even with my most notorious routing loop lab with 12.4(24)T no loops occur and the routing table is solid. Not very fair. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Monday, September 27, 2010 11:04 AM To: Tyson Scott Cc: Pieter-Jan Nefkens; [email protected] Subject: Re: [OSL | CCIE_Security] ESP across PAT I tried creating 2nd IPSec tunnel through the PAT router and it works fine. The IPSec sessions are being tracked by SPIs for each IPSec tunnel respectivley. Note : I have not configured the routers for NAT Support for IPSec ESP - Phase II (configuration of "ip nat service-list" on the PAT router and "crypto ipsec nat-transparency spi-matching" on the IPSec endpoints) With regards Kings On Mon, Sep 27, 2010 at 7:46 PM, Tyson Scott <[email protected]> wrote: Have you got the second tunnel up and working though yet? Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: Kingsley Charles [mailto:[email protected]] Sent: Monday, September 27, 2010 10:06 AM To: Pieter-Jan Nefkens Cc: Tyson Scott; [email protected] Subject: Re: [OSL | CCIE_Security] ESP across PAT Hi PJ The first link clearly explains how ICMP works with PAT using sequencial numbers . For ESP, the link says we need to use SPI matching using "ip nat service-list" command. The issue is that I observing the ESP with PAT process working using the SPI matching logic without configuring SPI matching configuration (NAT Support for IPSec ESP - Phase II. Tried reloading but I still see it working without configuration of "ip nat service-list" on the PAT router and "crypto ipsec nat-transparency spi-matching" on the IPSec endpoints. With regards Kings On Mon, Sep 27, 2010 at 7:10 PM, Pieter-Jan Nefkens <[email protected]> wrote: Hi all, Actually, it should work with multiple ESP tunnels and PAT with SPI matching. That is a feature that is introduced in IOS 12.2-something.. Check out: white paper: http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white _paper09186a00801af2b9.html (Search for multiple ESP through PAT) Feature guide: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsecnat.htm l#wp1057826 I remember this as I was playing around with it once, and I know that at one time, the SPI matching was enabled automatically, I think it was with the 12.4T15 release (a lot of things happend then) HTH PJ On 27 sep 2010, at 15:13, Kingsley Charles wrote: Hi Tyson I had only one ESP tunnel. Is there any specific reason for it not to work? If ICMP can be PATed then ESP can also be PATed right? With regards Kings On Mon, Sep 27, 2010 at 6:39 PM, Tyson Scott <[email protected]> wrote: Kingsley, Did you have more than one IPSec session going thru the router? If it automatically does SPI matching that is new to me but I expect it to not work when you do two ESP tunnels thru the router. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, September 27, 2010 7:53 AM To: [email protected] Subject: Re: [OSL | CCIE_Security] ESP across PAT Any thoughts? On Sat, Sep 25, 2010 at 7:24 PM, Kingsley Charles <[email protected]> wrote: Hi all We all know that NAT/PAT and firewall might break IPSec. We use NAT-T, IPSec over UDP and IPSec over TCP. Some firewall will not inspect ESP traffic hence by wrapping ESP into TCP or UDP would solve the porblem. Another global problem is NAT or PAT in between IPSec peers. AH won't work either with NAT or PAT as it authenticates the whole packet. So for now lets forget about AH. ESP doesn't authenticate the whole header and hence we can make it work across NAT or PAT devices. Without NAT-T, we can still have ESP across NAT devices by having the remote device to have peer configured as the NATed address. The interesting topic is ESP over PAT. The problem is that ESP doesn't have a port number. How does the PAT device translate the ESP and thus it breaks ESP. Here comes NAT-T which wraps ESP into UDP using port 4500 and hence PAT devices can translate those wrapped packets. I was trying ESP over PAT to see how does IOS breaks IPSec. But it did work. It tracks the translation using the ESP SPI number. I didn't have the IPSec peer and PAT router for "ip nat service" i.e., ESP SPI matching. Which means IOS routers doing PAT doesn't break ESP and is able to handle it. In the same lines, I used to wonder how IOS PAT routers handle ping across. The ICMP echo-request packets also doesn't have port numbers but I see IOS router tracking ICMP requests translations too. So when did this change happen in IOS? IOS router doing PAT doesn't break IPSec using ESP. Please share your thoughts With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: [email protected] Web: http://www.nefkensadvies.nl/ Think before you print.
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
