Kings, So whats really gonna bake your noodle later, is where you came across this theory in the first place :-) I also thought this way until i actually labbed this up to prove the theory. And after was adamant that i had read this somewhere but could never find it when i tried to. The reality is that both solutions below yield exactly the same result but configured 2 different ways.
What you always see on the wire is IPSEC, or more specifically ESP. Take for instance the tunnel configuration. interface Tunnel0 ip address 6.6.45.4 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 6.6.25.2 tunnel key 123 tunnel protection ipsec profile GRE interface Tunnel0 ip address 6.6.45.2 255.255.255.0 tunnel source Serial0/1/0 tunnel destination 6.6.146.4 tunnel key 123 tunnel protection ipsec profile GRE Just to prove what was being seen I dropped an deny ip any any log on a device in between the tunnel endpoints. As you can see below IP protocol 50 (ESP) was dropped not IP 47 (GRE). Aug 30 21:51:03.526: %SEC-6-IPACCESSLOGNP: list 100 denied 50 6.6.25.2 -> 6.6.146.4 Lab this up for yourself and either get wireshark between your endpoints or a router/asa to see the traffic that is going across the wire. Its been a while since i did this myself, but i seem to remember trying several different configurations for this and regardless of each you always see ESP not GRE. On this I may be wrong though, I may have missed a method that provides this result. Stu 2009/8/30 Kingsley Charles <[email protected]> > Hi Taqdir > > This has been always a confusing subject but quite interesting. > > There is no terminology as IPSec over GRE. It is always GREoIPSec. > > But the question, do you want to put the IPSec into GRE or GRE into IPSec. > It all depends on your configuration. > > GREoIPSec is mostly used, when we need encryption but the traffic is not > IPSec compatible. For example, multicast or non IP traffic can't be > encapsulated > directly into IPSec. Hence first we encapsulate using GRE and then place it > in IPSec. > > > When you apply crypto map directly on the GRE tunnel interface, IPSec > encapulates the interesting traffic and then this IPSec packet is placed > into GRE. > > interface Tunnel0 > ip address 10.20.30.40 > tunnel source FastEthernet1/0 > tunnel destination 10.20.30.43 > crypto map vpn > > > or > > interface Tunnel0 > ip address 10.20.30.40 > tunnel source FastEthernet1/0 > tunnel destination 10.20.30.43 > tunnel protection ipsec profile mine > When you apply crypto map on the physical interface to which the GRE tunnel > is sourced and have interesting traffic as GRE, then the GRE traffic is > placed into IPSec. > > interface Tunnel0 > ip address 10.20.30.40 255.255.255.0 > tunnel source FastEthernet1/0 > tunnel destination 10.20.30.43 > > int FastEthernet1/0 > crypto map vpn > > With regards > Kings > > > > On Sun, Aug 30, 2009 at 6:58 PM, Taqdir Singh <[email protected]>wrote: > >> could any one please clear the the basic diff bet >> >> gre over ipsec vs ipsec over gre >> >> >> >> -- >> Taqdir Singh | Network Engineering | 09911709496 >> >> Do today what others won't so you can live tomorrow as others can't >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
