Hi all This topic "GREoIPSec" and "IPSecoGRE" has been always revolving around for a long time.
I am not sure, if anyone will use IPSec in GRE or it is configurable :-) To conclude *"Tunnel protection ipsec" on tunnel interface or having crypto map matching GRE traffic on the physical interface will make the GREoIPSec connection i.e., GRE in the inner packet and ESP is out header".* *IPSec over GRE has been debatable topic always :-)* With regards Kings On Tue, Sep 1, 2009 at 7:31 AM, Shawn H. Mesiatowsky <[email protected] > wrote: > You should not be trying to apply the crypto map to the tunnel interface > matching the gre traffic, you should be applying a crypto map to the > physical interface and the interesting traffic should be the gre traffic. > This will bring up the tunnel and encrypt the gre traffic. Stuart was > correct in his earlier post, applying a crypto map to the physical > interface, or protecting the tunnel using the tunnel protection ipsec > profile … has the same outcome. The gre traffic is encrypted and all the > travels between the routers is esp packets and not gre packets. I have just > labbed this up to confirm with wireshark sniffing the traffic. Amazing, > because I too remember reading somewhere that tunnel protection would > encrypt the contents of the gree packet, but not the gre packet itself. > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Monday, August 31, 2009 2:01 AM > *To:* Stuart Hare > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] gre over ipsec vs ipsec over gre > > > > Hi Stuart > > > > There is a difference in using "tunnel protection ipsec" and applying > crypto map directly to the tunnel interface. > > > > If you use "tunnel protection ipsec", then the interesting traffic will be > GRE with source/destination address of the tunnel's physical address. IOS > automatically adds it. > > > > If you use "crypto map" on the tunnel interface and try to match the GRE > traffic as tunnel protection ipsec, the IPSec tunnel won't come up. With > crypto map on the tunnel interface, interesting traffic should be the > traffic that is being routed into the tunnel interface i.e., the untunneled > GRE traffic. > > > > You can see the difference using "show crypto ipsec sa". > > > > This the difference, I was trying to tell. > > > > But for both case, as you said ESP is outer packet not GRE. > > > > When you put the crypto map on the tunnel, interface encryption is > happening first but when you use tunnel ipsec protection, GRE tunneling is > happening first. But for both the case at the end ESP is outer packet. > > > > > > I am yet to try with wireshark. That would give a better picture. > > > > > > > > With regards > > Kings > > On Mon, Aug 31, 2009 at 12:47 AM, Stuart Hare <[email protected]> > wrote: > > Kings, > > > > So whats really gonna bake your noodle later, is where you came across this > theory in the first place :-) > > I also thought this way until i actually labbed this up to prove the > theory. And after was adamant that i had read this somewhere but could never > find it when i tried to. The reality is that both solutions below yield > exactly the same result but configured 2 different ways. > > > > What you always see on the wire is IPSEC, or more specifically ESP. > > > > Take for instance the tunnel configuration. > > > > interface Tunnel0 > ip address 6.6.45.4 255.255.255.0 > tunnel source FastEthernet0/0 > tunnel destination 6.6.25.2 > tunnel key 123 > tunnel protection ipsec profile GRE > > > > interface Tunnel0 > ip address 6.6.45.2 255.255.255.0 > tunnel source Serial0/1/0 > tunnel destination 6.6.146.4 > tunnel key 123 > tunnel protection ipsec profile GRE > > > > Just to prove what was being seen I dropped an deny ip any any log on a > device in between the tunnel endpoints. > > As you can see below IP protocol 50 (ESP) was dropped not IP 47 (GRE). > > > > Aug 30 21:51:03.526: %SEC-6-IPACCESSLOGNP: list 100 denied 50 6.6.25.2 -> > 6.6.146.4 > > > Lab this up for yourself and either get wireshark between your endpoints or > a router/asa to see the traffic that is going across the wire. > > > > Its been a while since i did this myself, but i seem to remember trying > several different configurations for this and regardless of each you always > see ESP not GRE. On this I may be wrong though, I may have missed a method > that provides this result. > > > > Stu > > 2009/8/30 Kingsley Charles <[email protected]> > > > > Hi Taqdir > > > > This has been always a confusing subject but quite interesting. > > > > There is no terminology as IPSec over GRE. It is always GREoIPSec. > > > > But the question, do you want to put the IPSec into GRE or GRE into IPSec. > It all depends on your configuration. > > > > GREoIPSec is mostly used, when we need encryption but the traffic is not > IPSec compatible. For example, multicast or non IP traffic can't be > encapsulated > > directly into IPSec. Hence first we encapsulate using GRE and then place it > in IPSec. > > > > > > When you apply crypto map directly on the GRE tunnel interface, IPSec > encapulates the interesting traffic and then this IPSec packet is placed > into GRE. > > > > interface Tunnel0 > ip address 10.20.30.40 > tunnel source FastEthernet1/0 > tunnel destination 10.20.30.43 > crypto map vpn > > > > > > or > > > > interface Tunnel0 > ip address 10.20.30.40 > tunnel source FastEthernet1/0 > tunnel destination 10.20.30.43 > > tunnel protection ipsec profile mine > > When you apply crypto map on the physical interface to which the GRE tunnel > is sourced and have interesting traffic as GRE, then the GRE traffic is > placed into IPSec. > > > > interface Tunnel0 > ip address 10.20.30.40 255.255.255.0 > tunnel source FastEthernet1/0 > tunnel destination 10.20.30.43 > > > int FastEthernet1/0 > > crypto map vpn > > > > With regards > > Kings > > > > > > On Sun, Aug 30, 2009 at 6:58 PM, Taqdir Singh <[email protected]> > wrote: > > could any one please clear the the basic diff bet > > > > gre over ipsec vs ipsec over gre > > > > > > -- > Taqdir Singh | Network Engineering | 09911709496 > > Do today what others won't so you can live tomorrow as others can't > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
