Hello rachachandran, are you now saying that if the IPSEC over gre is configured and firewall is along the transit path then we have to permit gre traffic through the firewall ? when you issue show crypto ipsec transform-set the proxy-acl will be access-list permit gre/ah host x.x.x.x host y.y.y.y ? can we implement ipsec over gre in transport mode since the peering device in this case are encrypted.?
answer to the following question will help Regards, Wale ________________________________ From: Vybhav Ramachandran <[email protected]> To: manish ludhani <[email protected]> Cc: [email protected] Sent: Tue, November 30, 2010 10:40:49 AM Subject: Re: [OSL | CCIE_Security] ipsec over gre Hello Manish, To add to Tyson, AFAIK If you want to configure GRE over IPSec, then 1) Either configure tunnel protection on the tunnel interface 2) Or configure a crypto map on the Physical interface , with the interesting traffic specified as the GRE encapsulated traffic If you want to configureIPSec over GRE , then 1) Configure the Crypto map on the tunnel-interface. This will encrypt the un-tunnelled clear-text packet. And when the encrypted traffic is to be sent out of a physical interface, it just encapsulates this encrypted packet in a GRE header and shoots it over to the other peer. Remember, traffic in the tunnels can be treated as the original traffic prior to tunnelling . So whatever configuration that you do inside the GRE tunnel (ex: QOS , encryption) will apply to the traffic prior to tunneling. It's only when the traffic is heading out through an interface, will it be tunnelled (based on the tunnel mode configured in the tunnel interface ) and conditionally encrypted( if you have applied a crypto map or configure tunnel protection configured on the interface). You could check this out ( VTI ) -> http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1072476 Cheers, TacACK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
