hi all thanks all for explaining i labbed it today and it worked i could see all the headers, first GRE than IPsec. what i understood is if the IPsec peers IPs are routed through the Tunnel interface than we can have IPsec encapsulated in GRE so it is like IPsec tunnel intransit through the GRE tunnel.
however i was more confused when i was comparing it with this kind of scenario (link below) where the ipsec tunnel is sourced behind the interface but the destination ip is learned through the GRE tunnel so it gets encapsulated in GRE and than when it hits the interface where crypto map is applied it gets encapsulated in IPSec. http://blog.ine.com/2010/05/17/ccie-security-tunnels-within-tunnels-challenge/ i guess i still have some gaps in my understanding however i hope those will be filled with further labbing thanks all Kind Regards Manish On Tue, Nov 30, 2010 at 5:38 PM, Vybhav Ramachandran <[email protected]>wrote: > Hello Wale, > > Here are the responses to your questions > > 1) In case of IPSec over GRE , if we have an ASA in between the ispec > peers, then we need to permit gre on the outside interface for the tunnel to > come up. > > 2) In case of IPSec over GRE, the proxy ACL that we will be using will be > *permit ip x.x.x.x y.y.y.y *. That's because, we have placed a crypto map > IN the tunnel. So it will encrypt the plain-text packets here, hence IP not > GRE in the ACL . Only AFTER it gets encrypted, will the GRE header be > slapped on top of it. > > 3) Transport mode works without any issues. I tested this out and i don't > see any problems. > > Cheers, > TacACK >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
