Hi Tyson, I think that's pretty funny. I understand the frustration. But from the regular network guy (non CCIE Instructor) POV, its a pretty good change.
Thanks for always helping! On Mon, Sep 27, 2010 at 4:43 PM, Tyson Scott <[email protected]> wrote: > Then the default behavior has changed. I am not aware of when the change > occurred. I have noticed lately a few features working that shouldn't until > I finished my configurations and I think some things are there by default > without configuration but I cannot provide any further clarification as the > results you and I are seeing are different than what is documented and I > don't have any further insights beyond test results. > > > > For instance, I have some labs recently that I expect to cause routing > loops due to dual points of redistribution but even without tag prevention > or prefix filtering the labs just work. It was frustrating when I was > teaching an R&S bootcamp expecting to show a problem and not being able to > reproduce a problem ;). Even with my most notorious routing loop lab with > 12.4(24)T no loops occur and the routing table is solid. Not very fair. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Monday, September 27, 2010 11:04 AM > *To:* Tyson Scott > *Cc:* Pieter-Jan Nefkens; [email protected] > > *Subject:* Re: [OSL | CCIE_Security] ESP across PAT > > > > I tried creating 2nd IPSec tunnel through the PAT router and it works fine. > The IPSec sessions are being tracked by SPIs for each IPSec tunnel > respectivley. > > Note : I have not configured the routers for *NAT Support for IPSec ESP - > Phase II* (configuration of "ip nat service-list" on the PAT router and > "crypto ipsec nat-transparency spi-matching" on the IPSec endpoints) > > > With regards > Kings > > On Mon, Sep 27, 2010 at 7:46 PM, Tyson Scott <[email protected]> wrote: > > Have you got the second tunnel up and working though yet? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Monday, September 27, 2010 10:06 AM > *To:* Pieter-Jan Nefkens > *Cc:* Tyson Scott; [email protected] > > > *Subject:* Re: [OSL | CCIE_Security] ESP across PAT > > > > Hi PJ > > The first link clearly explains how ICMP works with PAT using sequencial > numbers . For ESP, the link says we need to use SPI matching using "ip nat > service-list" command. > > The issue is that I observing the ESP with PAT process working using the > SPI matching logic without configuring SPI matching configuration (NAT > Support for IPSec ESP - Phase II. Tried reloading but I still see it working > without configuration of "ip nat service-list" on the PAT router and > "crypto ipsec nat-transparency spi-matching" on the > IPSec endpoints. > > > > With regards > Kings > > On Mon, Sep 27, 2010 at 7:10 PM, Pieter-Jan Nefkens < > [email protected]> wrote: > > Hi all, > > > > Actually, it should work with multiple ESP tunnels and PAT with SPI > matching. That is a feature that is introduced in IOS 12.2-something.. > > > > Check out: > > > > white paper: > > > > > http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a00801af2b9.html > > (Search for multiple ESP through PAT) > > > > Feature guide: > > > http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsecnat.html#wp1057826 > > > > I remember this as I was playing around with it once, and I know that at > one time, the SPI matching was enabled automatically, I think it was with > the 12.4T15 release (a lot of things happend then) > > > > HTH > > > > PJ > > > > > > > > On 27 sep 2010, at 15:13, Kingsley Charles wrote: > > > > Hi Tyson > > > > I had only one ESP tunnel. Is there any specific reason for it not to work? > If ICMP can be PATed then ESP can also be PATed right? > > > > > > > > With regards > > Kings > > On Mon, Sep 27, 2010 at 6:39 PM, Tyson Scott <[email protected]> wrote: > > Kingsley, > > > > Did you have more than one IPSec session going thru the router? If it > automatically does SPI matching that is new to me but I expect it to not > work when you do two ESP tunnels thru the router. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Monday, September 27, 2010 7:53 AM > *To:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] ESP across PAT > > > > Any thoughts? > > On Sat, Sep 25, 2010 at 7:24 PM, Kingsley Charles < > [email protected]> wrote: > > Hi all > > > > We all know that NAT/PAT and firewall might break IPSec. We use NAT-T, > IPSec over UDP and IPSec over TCP. > > > > Some firewall will not inspect ESP traffic hence by wrapping ESP into TCP > or UDP would solve the porblem. > > > > Another global problem is NAT or PAT in between IPSec peers. > > > > AH won't work either with NAT or PAT as it authenticates the whole packet. > So for now lets forget about AH. > > > > ESP doesn't authenticate the whole header and hence we can make it work > across NAT or PAT devices. > > > > Without NAT-T, we can still have ESP across NAT devices by having the > remote device to have peer configured as the NATed address. > > > > The interesting topic is ESP over PAT. The problem is that ESP doesn't have > a port number. How does the PAT device translate the ESP and thus it breaks > ESP. Here comes NAT-T which wraps ESP into UDP using port 4500 and hence PAT > devices can translate those wrapped packets. > > > > I was trying ESP over PAT to see how does IOS breaks IPSec. But it did > work. It tracks the translation using the ESP SPI number. I didn't have the > IPSec > > peer and PAT router for "ip nat service" i.e., ESP SPI matching. > > > > Which means IOS routers doing PAT doesn't break ESP and is able to handle > it. > > > > In the same lines, I used to wonder how IOS PAT routers handle ping across. > The ICMP echo-request packets also doesn't have port numbers but I see IOS > router tracking ICMP requests translations too. > > > > > > So when did this change happen in IOS? IOS router doing PAT doesn't break > IPSec using ESP. > > > > Please share your thoughts > > > > > > > > > > > > > > With regards > > Kings > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > --- > > Nefkens Advies > > Enk 26 > > 4214 DD Vuren > > The Netherlands > > > > Tel: +31 183 634730 > > Fax: +31 183 690113 > > Cell: +31 654 323221 > > Email: [email protected] > > Web: http://www.nefkensadvies.nl/ > > > Think before you print. > > > > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Best Regards, Tolulope.
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
