Re: [OSL | CCIE_Security] ipsec over gre

[Tyson Scott]

I think it was something like applying the crypto map to the tunnel
interface but using the crypto map source interface command to source the
crypto peers from another loopback interface.  It is possible but I don't
remember for sure.  

 

Actually here.  I went ahead and searched thru the archives and here is the
answer.  Piotr had answered this last year around this time.

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Managing Partner / Sr. Instructor - IPexpert, Inc.

Mailto:  <mailto:tsc...@ipexpert.com> tsc...@ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit:  <http://www.ipexpert.com/chat>
www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at  <http://www.ipexpert.com/> www.ipexpert.com

 

From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley
Charles
Sent: Tuesday, November 30, 2010 12:22 AM
To: manish ludhani
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] ipsec over gre

 

It's GRE wrapped in IPSec.We do it because IPSec can't transport multicasts,
broadcasts, Non-IP traffic. So we wrap it in GRE and then into IPSec. 

Why would someone wrap IPSec in GRE. IPSec is already a tunneling protocol?

But to your question, I think it is possible to implement IPSec over GRE and
I remember someone posting the configuration for it. 

BTW, VTI based IPSec can transport broadcast and multicast.

With regards
Kings

On Tue, Nov 30, 2010 at 2:10 AM, manish ludhani <ludhani.man...@gmail.com>
wrote:

hi all 

 

i was reading GRE over IPsec just got confused 

  

is it possible to have ipsec over gre. 

 

isnt it always gre rides over IPsec whether we use crypto map or tunnel
protection. 

 

any1 can please provide insight  ( i couldnt to find it in archives)

 

regards

manish

 

 

 

 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com

 

--- Begin Message ---

Ubaid, Stuart,

The question was if we can configure GRE over IPSec, meaning IPSec
encapsulated inside GRE. What you provided is something opposite - IPSec
over GRE.

OK, here's the proof. I dig for my configs as I labbed it long time ago.
My topo is simple: R1 -- R2 --- R3 -- R4.
IPSec tunnel and GRE tunnel is between R2 and R3. The goal is to encrypt
traffic between R1 and R4 and in the same time encapsulate it inside GRE.
Here's the config:

R1
!
interface FastEthernet0/0
 ip address 10.1.12.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.12.2


R2
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 3.3.3.3
!
!
crypto ipsec transform-set TSET esp-des esp-md5-hmac 
!
crypto map CMAP local-address Loopback0
crypto map CMAP 1 ipsec-isakmp 
 set peer 3.3.3.3
 set transform-set TSET 
 match address 120
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface Tunnel0
 ip address 172.16.23.2 255.255.255.0
 tunnel source FastEthernet0/1
 tunnel destination 122.1.23.3
 crypto map CMAP
!
interface FastEthernet0/0
 ip address 10.1.12.2 255.255.255.0
!
interface FastEthernet0/1
 ip address 122.1.23.2 255.255.255.0
!
router eigrp 23
 network 2.2.2.2 0.0.0.0
 network 10.1.12.2 0.0.0.0
 network 172.16.23.2 0.0.0.0
 no auto-summary
!
access-list 120 permit ip 10.1.12.0 0.0.0.255 10.1.34.0 0.0.0.255
!



R3
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 2.2.2.2
!
!
crypto ipsec transform-set TSET esp-des esp-md5-hmac 
!
crypto map CMAP local-address Loopback0
crypto map CMAP 1 ipsec-isakmp 
 set peer 2.2.2.2
 set transform-set TSET 
 match address 120
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
!
interface Tunnel0
 ip address 172.16.23.3 255.255.255.0
 tunnel source FastEthernet0/1
 tunnel destination 122.1.23.2
 crypto map CMAP
!
interface FastEthernet0/0
 ip address 10.1.34.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 122.1.23.3 255.255.255.0
!
router eigrp 23
 network 3.3.3.3 0.0.0.0
 network 10.1.34.3 0.0.0.0
 network 172.16.23.3 0.0.0.0
 no auto-summary
!
access-list 120 permit ip 10.1.34.0 0.0.0.255 10.1.12.0 0.0.0.255
!



R4
!
interface FastEthernet0/0
 ip address 10.1.34.4 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.34.3
!




You can put a sniffer between R2 and R3 and you'll see GRE traffic going
between those routers.

Happy labbing!

--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com

“If you can't explain it simply, you don't understand it well enough” -
Albert Einstein



2009/12/18 Ubaid Iftikhar <mag...@bigpond.net.au>


Since we are using legacy Method intresting traffic acl should allow only
gre between peers.

Example -

Permit gre host 150.1.1.1 host 150.1.2.2

Here these two hosts are tunnel interface source addresses at their end.

Crypto map goes on physical interface not tunnel.

More than happy to lab it up if you send me the configs.

Regards,
Ubaid Iftikhar

Sent from my iPhone


On 19/12/2009, at 1:48 AM, Piotr Matusiak <pi...@howto.pl> wrote:



Hi All,

It can be done by applying crypto map on the tunnel interface. If you
configure IPSec endpoints behind the tunnel (e.g. on loopback interfaces)
and you configure ACL for match interesting traffic to match subnets behind
the routers (acl permit IP <subnet1> <subnet2>) then the packets will be
first encrypted and then encapsulated by GRE.

It is also wise to source IPSec from the loopback IP address even though the
crypto map resides on the tunnel interface (which sources from physical
interface).

I can paste configs if you want to see them.


HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com

 If you can't explain it simply, you don't understand it well enough  -
Albert Einstein


2009/12/18 Stuart Hare <stuart.h...@googlemail.com>



Darren

Since my original post I had done some testing of this.
Regardless of if you use cryptomaps or tunnel protection in your setup
you will always see ESP traffic natively on The wire.

There has been a more recent post that i will try and dig out for you.

Stu

Sent from my iPhone

On 18 Dec 2009, at 10:39, "Darren Johnson" <dazza_john...@yahoo.co.uk>
wrote:



Hi Mark, I was reviewing the archives when I found this post. Having
set
this up, I don't believe this is actually correct.

I had a crypto ACL that referenced ping traffic to 4.3.2.1 only. A
crypto
map was applied to the tunnel interface only. When I do a ping to
4.3.2.1 IT
IS NOT encapsulated with GRE. I see the traffic (on a switch in the
middle)
as ESP traffic. Any other traffic not matched to the crypto ACL is
sent as
GRE, so this bit looks like it is working. I'm a little bit confused
why the
traffic is not protected by IPsec and 'then' sent within GRE - which
it
should do according to your post.

The relevant config is shown below:

R5#sh runn
!
crypto isakmp key dazzler address 6.6.6.6
!
crypto ipsec transform-set ESP-AES esp-aes esp-sha-hmac
mode transport
!
crypto map GRE_Tunnel 10 ipsec-isakmp
set peer 6.6.6.6
set transform-set ESP-AES
match address 101
!
interface Tunnel56
ip address 56.56.56.5 255.255.255.0
tunnel source 5.5.5.5
tunnel destination 6.6.6.6
crypto map GRE_Tunnel
!
access-list 101 permit icmp any host 4.3.2.1
!
R5#

Any comments?

Dazzler

-----Original Message-----
From: nob...@groupstudy.com [mailto:nob...@groupstudy.com] On Behalf
Of Mark
Snow
Sent: 23 January 2009 16:27
To: Edouard Zorrilla
Cc: Stuart Hare; OSL Lab Exam; secur...@groupstudy.com;
ccie...@groupstudy.com
Subject: Re: Ipsec and gre

If you were to put a crypto map on the Tunnel interface, and your ACL
classified non-gre unicast traffic (e.g. access-list 101 permit ip
10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255) then that would be IPsec
tunneled inside of GRE. That is to say that the unicast packets that
match that ACL would be encap'd in IPSec and then encap'd in GRE and
sent out the physical interface, however, there would also be the
possibility and likelyhood that other unicast and certainly other
multicast traffic would also travel "along side" that IPSec encap'd
traffic in the GRE tunnel - but itself not be encap'd or protected by
IPSec.

The more common method is to simply have your traffic enter the gre
tunnel interface and then do an ACL that identified and therefore
encap'd the gre traffic itself (e.g. access-list 102 permit gre host
129.51.20.4 host 201.15.24.12) or else to use the tunnel protection
command on the tunnel interface as you mentioned.

Don't forget that in 12.2T (version still in the lab for a few months)
that if you do choose (or are forced) to put a crypto map command on
the physical outgoing interface, that you also need to put it on the
tunnel interface as well - due to a "feature" in 12.2T.
Later versions - no worries.


HTH Some,

--
Mark Snow
CCIE #14073 (Voice, Security)

Senior Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444
Fax: +1.309.413.4097
Mailto: ms...@ipexpert.com
--
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
--
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video-On-
Demand and Audio Certification Training Tools for the Cisco CCIE R&S
Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and
CCIE Storage Lab Certifications.
--




On Jan 22, 2009, at 6:45 PM, Edouard Zorrilla wrote:



Hi,

GRE over IPSec, you use the "tunnel protection" under Tunnel
Interface or "crypto map" under the physical interface.

IPSec over GRE, I do not know, any one ?

Regards


----- Original Message ----- From: "Stuart Hare"


<stuart.h...@googlemail.com



To: "OSL Lab Exam" <ccie_security@onlinestudylist.com>;


<secur...@groupstudy.com



Sent: Thursday, January 22, 2009 4:54 PM
Subject: Ipsec and gre




What's the difference between gre over ipsec and ipsec over gre in
terms of configuration?

Also if I captured the traffic would I see ipsec traffic in both
cases  or see gre in one and ipsec in the other?

Stu

Sent from my iPhone



_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com





_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

--- End Message ---

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com