Hi Stuart There is a difference in using "tunnel protection ipsec" and applying crypto map directly to the tunnel interface.
If you use "tunnel protection ipsec", then the interesting traffic will be GRE with source/destination address of the tunnel's physical address. IOS automatically adds it. If you use "crypto map" on the tunnel interface and try to match the GRE traffic as tunnel protection ipsec, the IPSec tunnel won't come up. With crypto map on the tunnel interface, interesting traffic should be the traffic that is being routed into the tunnel interface i.e., the untunneled GRE traffic. You can see the difference using "show crypto ipsec sa". This the difference, I was trying to tell. But for both case, as you said ESP is outer packet not GRE. When you put the crypto map on the tunnel, interface encryption is happening first but when you use tunnel ipsec protection, GRE tunneling is happening first. But for both the case at the end ESP is outer packet. I am yet to try with wireshark. That would give a better picture. With regards Kings On Mon, Aug 31, 2009 at 12:47 AM, Stuart Hare <[email protected]>wrote: > Kings, > > So whats really gonna bake your noodle later, is where you came across this > theory in the first place :-) > I also thought this way until i actually labbed this up to prove the > theory. And after was adamant that i had read this somewhere but could never > find it when i tried to. The reality is that both solutions below yield > exactly the same result but configured 2 different ways. > > What you always see on the wire is IPSEC, or more specifically ESP. > > Take for instance the tunnel configuration. > > interface Tunnel0 > ip address 6.6.45.4 255.255.255.0 > tunnel source FastEthernet0/0 > tunnel destination 6.6.25.2 > tunnel key 123 > tunnel protection ipsec profile GRE > > interface Tunnel0 > ip address 6.6.45.2 255.255.255.0 > tunnel source Serial0/1/0 > tunnel destination 6.6.146.4 > tunnel key 123 > tunnel protection ipsec profile GRE > > Just to prove what was being seen I dropped an deny ip any any log on a > device in between the tunnel endpoints. > As you can see below IP protocol 50 (ESP) was dropped not IP 47 (GRE). > > Aug 30 21:51:03.526: %SEC-6-IPACCESSLOGNP: list 100 denied 50 6.6.25.2 -> > 6.6.146.4 > > Lab this up for yourself and either get wireshark between your endpoints or > a router/asa to see the traffic that is going across the wire. > > Its been a while since i did this myself, but i seem to remember trying > several different configurations for this and regardless of each you always > see ESP not GRE. On this I may be wrong though, I may have missed a method > that provides this result. > > Stu > 2009/8/30 Kingsley Charles <[email protected]> > > Hi Taqdir >> >> This has been always a confusing subject but quite interesting. >> >> There is no terminology as IPSec over GRE. It is always GREoIPSec. >> >> But the question, do you want to put the IPSec into GRE or GRE into IPSec. >> It all depends on your configuration. >> >> GREoIPSec is mostly used, when we need encryption but the traffic is not >> IPSec compatible. For example, multicast or non IP traffic can't be >> encapsulated >> directly into IPSec. Hence first we encapsulate using GRE and then place >> it in IPSec. >> >> >> When you apply crypto map directly on the GRE tunnel interface, IPSec >> encapulates the interesting traffic and then this IPSec packet is placed >> into GRE. >> >> interface Tunnel0 >> ip address 10.20.30.40 >> tunnel source FastEthernet1/0 >> tunnel destination 10.20.30.43 >> crypto map vpn >> >> >> or >> >> interface Tunnel0 >> ip address 10.20.30.40 >> tunnel source FastEthernet1/0 >> tunnel destination 10.20.30.43 >> tunnel protection ipsec profile mine >> When you apply crypto map on the physical interface to which the GRE >> tunnel is sourced and have interesting traffic as GRE, then the GRE traffic >> is placed into IPSec. >> >> interface Tunnel0 >> ip address 10.20.30.40 255.255.255.0 >> tunnel source FastEthernet1/0 >> tunnel destination 10.20.30.43 >> >> int FastEthernet1/0 >> crypto map vpn >> >> With regards >> Kings >> >> >> >> On Sun, Aug 30, 2009 at 6:58 PM, Taqdir Singh >> <[email protected]>wrote: >> >>> could any one please clear the the basic diff bet >>> >>> gre over ipsec vs ipsec over gre >>> >>> >>> >>> -- >>> Taqdir Singh | Network Engineering | 09911709496 >>> >>> Do today what others won't so you can live tomorrow as others can't >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
