Kingsly said: >*Crypto map on Tunnel interface* >For both tunnel and transport mode, the format was same. >IP - AH - IPIP - IP - Payload. >Note : GRE header is not at all present. I was suspecting this
I have been aware that applying the protection profile on the tunnel, and the crypto map on physical interface (matching the gre traffic) would produce the same result since the *feature* was resolved. Prior to that, it was also necessary to apply the same crypto map to the tunnel interface. However, the above is new to me. I always assumed that you could use the method of applying a crypto map to a tunnel interface and encrypt a subset of the traffic that went through the gre tunnel. I always thought it would look like this: IP - GRE - ESP | AH - Paylod This in essense would be IPSECoGRE. I think I will play with that a bit, it really surprises me that that isn't how it works. Great discussion.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
