Hi,
I’m working now with GETVPN over DMVPN and I have some doubts about lab in the WB. I expected the GETVPN encrypts traffic which is sent over Tunnel interface. The implementation presented in the WB is different and I’d like to ask you I’d like to ask you for your opinion.
The GET VPN ACL – traffic between Loopback interfaces:
access-list 100 permit ip 150.1.0.0 0.0.255.255 150.1.0.0 0.0.255.255
R2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 100.100.100.0/24 is directly connected, Tunnel0
L 100.100.100.2/32 is directly connected, Tunnel0
136.1.0.0/16 is variably subnetted, 8 subnets, 2 masks
D 136.1.3.0/24
[90/28672] via 136.1.28.8, 00:17:12, GigabitEthernet0/0.28
D 136.1.18.0/24
[90/26112] via 136.1.28.8, 00:17:17, GigabitEthernet0/0.28
C 136.1.22.0/24 is directly connected, GigabitEthernet0/0.22
L 136.1.22.2/32 is directly connected, GigabitEthernet0/0.22
C 136.1.28.0/24 is directly connected, GigabitEthernet0/0.28
L 136.1.28.2/32 is directly connected, GigabitEthernet0/0.28
D 136.1.33.0/24 [90/26882560] via 100.100.100.3, 00:03:39, Tunnel0
D 136.1.38.0/24
[90/26112] via 136.1.28.8, 00:17:17, GigabitEthernet0/0.28
150.1.0.0/32 is subnetted, 3 subnets
D 150.1.1.1 [90/154112] via 136.1.28.8, 00:17:12, GigabitEthernet0/0.28
C 150.1.2.2 is directly connected, Loopback0
D 150.1.3.3 [90/154112] via 136.1.28.8, 00:17:12, GigabitEthernet0/0.28
R2#
R3#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 100.100.100.0/24 is directly connected, Tunnel0
L 100.100.100.3/32 is directly connected, Tunnel0
136.1.0.0/16 is variably subnetted, 9 subnets, 2 masks
C 136.1.3.0/24 is directly connected, FastEthernet0/0.3
L 136.1.3.3/32 is directly connected, FastEthernet0/0.3
D 136.1.18.0/24 [90/28416] via 136.1.38.8, 00:14:03, FastEthernet0/0.38
D 136.1.22.0/24 [90/26880256] via 100.100.100.2, 00:00:25, Tunnel0
D 136.1.28.0/24 [90/28416] via 136.1.38.8, 00:14:03, FastEthernet0/0.38
C 136.1.33.0/24 is directly connected, FastEthernet0/0.33
L 136.1.33.3/32 is directly connected, FastEthernet0/0.33
C 136.1.38.0/24 is directly connected, FastEthernet0/0.38
L 136.1.38.3/32 is directly connected, FastEthernet0/0.38
150.1.0.0/32 is subnetted, 3 subnets
D 150.1.1.1 [90/156416] via 136.1.38.8, 00:14:03, FastEthernet0/0.38
D 150.1.2.2 [90/156416] via 136.1.38.8, 00:14:03, FastEthernet0/0.38
C 150.1.3.3 is directly connected, Loopback0
R3#
When I send traffic between Loopback interfaces, the GET VPN encrypt the traffic but over physical interfaces not over the tunnel. We could change it simply by following ACL on KS:
deny udp eq 848 udp eq 848
permit gre any any
but I’m not sure now which solution is correct, first, second, both?
Thanks
Hubert