Hi all I tried capturing the packets with wireshark. With ESP, everything inside is encrypted, so I coud not get any info.
Then I tried with AH alone. AH does encapsulate but the text will be clear, right Given below is encapsulation format: *Crypto map on Tunnel interface* For both tunnel and transport mode, the format was same. IP - AH - IPIP - IP - Payload. Note : GRE header is not at all present. I was suspecting this *Tunnel protection ipsec on the tunnel interface* Tunnel mode => IP - AH - IPIP - GRE - IP - Payload Transport mode => IP - AH - GRE - Payload *Crypto map on both Tunnel and physical interface* For both tunnel and transport mode, the format was same IP - AH - IPIP - GRE - IP - Payload So when we apply the crypto map on the tunnel, GRE header is not all at added. With regards Kings On Tue, Sep 1, 2009 at 9:48 PM, Tyson Scott <[email protected]> wrote: > I will state that in 12.2T and below days you had to apply the crypto map > to both the physical and the GRE. It was a “feature” that was later fixed > but they always tried to trip you up with it on the test. So you guys may > have been confused by this fact. 12.3T and above had fixed this and now you > only apply the crypto map to the physical interface or use the tunnel > protection profile. > > > > > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Shawn H. > Mesiatowsky > *Sent:* Monday, August 31, 2009 10:01 PM > *To:* [email protected] > > *Subject:* Re: [OSL | CCIE_Security] gre over ipsec vs ipsec over gre > > > > You should not be trying to apply the crypto map to the tunnel interface > matching the gre traffic, you should be applying a crypto map to the > physical interface and the interesting traffic should be the gre traffic. > This will bring up the tunnel and encrypt the gre traffic. Stuart was > correct in his earlier post, applying a crypto map to the physical > interface, or protecting the tunnel using the tunnel protection ipsec > profile … has the same outcome. The gre traffic is encrypted and all the > travels between the routers is esp packets and not gre packets. I have just > labbed this up to confirm with wireshark sniffing the traffic. Amazing, > because I too remember reading somewhere that tunnel protection would > encrypt the contents of the gree packet, but not the gre packet itself. > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Monday, August 31, 2009 2:01 AM > *To:* Stuart Hare > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] gre over ipsec vs ipsec over gre > > > > Hi Stuart > > > > There is a difference in using "tunnel protection ipsec" and applying > crypto map directly to the tunnel interface. > > > > If you use "tunnel protection ipsec", then the interesting traffic will be > GRE with source/destination address of the tunnel's physical address. IOS > automatically adds it. > > > > If you use "crypto map" on the tunnel interface and try to match the GRE > traffic as tunnel protection ipsec, the IPSec tunnel won't come up. With > crypto map on the tunnel interface, interesting traffic should be the > traffic that is being routed into the tunnel interface i.e., the untunneled > GRE traffic. > > > > You can see the difference using "show crypto ipsec sa". > > > > This the difference, I was trying to tell. > > > > But for both case, as you said ESP is outer packet not GRE. > > > > When you put the crypto map on the tunnel, interface encryption is > happening first but when you use tunnel ipsec protection, GRE tunneling is > happening first. But for both the case at the end ESP is outer packet. > > > > > > I am yet to try with wireshark. That would give a better picture. > > > > > > > > With regards > > Kings > > On Mon, Aug 31, 2009 at 12:47 AM, Stuart Hare <[email protected]> > wrote: > > Kings, > > > > So whats really gonna bake your noodle later, is where you came across this > theory in the first place :-) > > I also thought this way until i actually labbed this up to prove the > theory. And after was adamant that i had read this somewhere but could never > find it when i tried to. The reality is that both solutions below yield > exactly the same result but configured 2 different ways. > > > > What you always see on the wire is IPSEC, or more specifically ESP. > > > > Take for instance the tunnel configuration. > > > > interface Tunnel0 > ip address 6.6.45.4 255.255.255.0 > tunnel source FastEthernet0/0 > tunnel destination 6.6.25.2 > tunnel key 123 > tunnel protection ipsec profile GRE > > > > interface Tunnel0 > ip address 6.6.45.2 255.255.255.0 > tunnel source Serial0/1/0 > tunnel destination 6.6.146.4 > tunnel key 123 > tunnel protection ipsec profile GRE > > > > Just to prove what was being seen I dropped an deny ip any any log on a > device in between the tunnel endpoints. > > As you can see below IP protocol 50 (ESP) was dropped not IP 47 (GRE). > > > > Aug 30 21:51:03.526: %SEC-6-IPACCESSLOGNP: list 100 denied 50 6.6.25.2 -> > 6.6.146.4 > > > Lab this up for yourself and either get wireshark between your endpoints or > a router/asa to see the traffic that is going across the wire. > > > > Its been a while since i did this myself, but i seem to remember trying > several different configurations for this and regardless of each you always > see ESP not GRE. On this I may be wrong though, I may have missed a method > that provides this result. > > > > Stu > > 2009/8/30 Kingsley Charles <[email protected]> > > > > Hi Taqdir > > > > This has been always a confusing subject but quite interesting. > > > > There is no terminology as IPSec over GRE. It is always GREoIPSec. > > > > But the question, do you want to put the IPSec into GRE or GRE into IPSec. > It all depends on your configuration. > > > > GREoIPSec is mostly used, when we need encryption but the traffic is not > IPSec compatible. For example, multicast or non IP traffic can't be > encapsulated > > directly into IPSec. Hence first we encapsulate using GRE and then place it > in IPSec. > > > > > > When you apply crypto map directly on the GRE tunnel interface, IPSec > encapulates the interesting traffic and then this IPSec packet is placed > into GRE. > > > > interface Tunnel0 > ip address 10.20.30.40 > tunnel source FastEthernet1/0 > tunnel destination 10.20.30.43 > crypto map vpn > > > > > > or > > > > interface Tunnel0 > ip address 10.20.30.40 > tunnel source FastEthernet1/0 > tunnel destination 10.20.30.43 > > tunnel protection ipsec profile mine > > When you apply crypto map on the physical interface to which the GRE tunnel > is sourced and have interesting traffic as GRE, then the GRE traffic is > placed into IPSec. > > > > interface Tunnel0 > ip address 10.20.30.40 255.255.255.0 > tunnel source FastEthernet1/0 > tunnel destination 10.20.30.43 > > > int FastEthernet1/0 > > crypto map vpn > > > > With regards > > Kings > > > > > > On Sun, Aug 30, 2009 at 6:58 PM, Taqdir Singh <[email protected]> > wrote: > > could any one please clear the the basic diff bet > > > > gre over ipsec vs ipsec over gre > > > > > > -- > Taqdir Singh | Network Engineering | 09911709496 > > Do today what others won't so you can live tomorrow as others can't > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
