I will state that in 12.2T and below days you had to apply the crypto map to both the physical and the GRE. It was a "feature" that was later fixed but they always tried to trip you up with it on the test. So you guys may have been confused by this fact. 12.3T and above had fixed this and now you only apply the crypto map to the physical interface or use the tunnel protection profile.
Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Shawn H. Mesiatowsky Sent: Monday, August 31, 2009 10:01 PM To: [email protected] Subject: Re: [OSL | CCIE_Security] gre over ipsec vs ipsec over gre You should not be trying to apply the crypto map to the tunnel interface matching the gre traffic, you should be applying a crypto map to the physical interface and the interesting traffic should be the gre traffic. This will bring up the tunnel and encrypt the gre traffic. Stuart was correct in his earlier post, applying a crypto map to the physical interface, or protecting the tunnel using the tunnel protection ipsec profile . has the same outcome. The gre traffic is encrypted and all the travels between the routers is esp packets and not gre packets. I have just labbed this up to confirm with wireshark sniffing the traffic. Amazing, because I too remember reading somewhere that tunnel protection would encrypt the contents of the gree packet, but not the gre packet itself. From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, August 31, 2009 2:01 AM To: Stuart Hare Cc: [email protected] Subject: Re: [OSL | CCIE_Security] gre over ipsec vs ipsec over gre Hi Stuart There is a difference in using "tunnel protection ipsec" and applying crypto map directly to the tunnel interface. If you use "tunnel protection ipsec", then the interesting traffic will be GRE with source/destination address of the tunnel's physical address. IOS automatically adds it. If you use "crypto map" on the tunnel interface and try to match the GRE traffic as tunnel protection ipsec, the IPSec tunnel won't come up. With crypto map on the tunnel interface, interesting traffic should be the traffic that is being routed into the tunnel interface i.e., the untunneled GRE traffic. You can see the difference using "show crypto ipsec sa". This the difference, I was trying to tell. But for both case, as you said ESP is outer packet not GRE. When you put the crypto map on the tunnel, interface encryption is happening first but when you use tunnel ipsec protection, GRE tunneling is happening first. But for both the case at the end ESP is outer packet. I am yet to try with wireshark. That would give a better picture. With regards Kings On Mon, Aug 31, 2009 at 12:47 AM, Stuart Hare <[email protected]> wrote: Kings, So whats really gonna bake your noodle later, is where you came across this theory in the first place :-) I also thought this way until i actually labbed this up to prove the theory. And after was adamant that i had read this somewhere but could never find it when i tried to. The reality is that both solutions below yield exactly the same result but configured 2 different ways. What you always see on the wire is IPSEC, or more specifically ESP. Take for instance the tunnel configuration. interface Tunnel0 ip address 6.6.45.4 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 6.6.25.2 tunnel key 123 tunnel protection ipsec profile GRE interface Tunnel0 ip address 6.6.45.2 255.255.255.0 tunnel source Serial0/1/0 tunnel destination 6.6.146.4 tunnel key 123 tunnel protection ipsec profile GRE Just to prove what was being seen I dropped an deny ip any any log on a device in between the tunnel endpoints. As you can see below IP protocol 50 (ESP) was dropped not IP 47 (GRE). Aug 30 21:51:03.526: %SEC-6-IPACCESSLOGNP: list 100 denied 50 6.6.25.2 -> 6.6.146.4 Lab this up for yourself and either get wireshark between your endpoints or a router/asa to see the traffic that is going across the wire. Its been a while since i did this myself, but i seem to remember trying several different configurations for this and regardless of each you always see ESP not GRE. On this I may be wrong though, I may have missed a method that provides this result. Stu 2009/8/30 Kingsley Charles <[email protected]> Hi Taqdir This has been always a confusing subject but quite interesting. There is no terminology as IPSec over GRE. It is always GREoIPSec. But the question, do you want to put the IPSec into GRE or GRE into IPSec. It all depends on your configuration. GREoIPSec is mostly used, when we need encryption but the traffic is not IPSec compatible. For example, multicast or non IP traffic can't be encapsulated directly into IPSec. Hence first we encapsulate using GRE and then place it in IPSec. When you apply crypto map directly on the GRE tunnel interface, IPSec encapulates the interesting traffic and then this IPSec packet is placed into GRE. interface Tunnel0 ip address 10.20.30.40 tunnel source FastEthernet1/0 tunnel destination 10.20.30.43 crypto map vpn or interface Tunnel0 ip address 10.20.30.40 tunnel source FastEthernet1/0 tunnel destination 10.20.30.43 tunnel protection ipsec profile mine When you apply crypto map on the physical interface to which the GRE tunnel is sourced and have interesting traffic as GRE, then the GRE traffic is placed into IPSec. interface Tunnel0 ip address 10.20.30.40 255.255.255.0 tunnel source FastEthernet1/0 tunnel destination 10.20.30.43 int FastEthernet1/0 crypto map vpn With regards Kings On Sun, Aug 30, 2009 at 6:58 PM, Taqdir Singh <[email protected]> wrote: could any one please clear the the basic diff bet gre over ipsec vs ipsec over gre -- Taqdir Singh | Network Engineering | 09911709496 Do today what others won't so you can live tomorrow as others can't _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
