gre/ipsec or ipsec/gre

gre/ipsec applied to the tunnel
ipsec/gre applied to the interface

right?

which one encrypts everything data and routing information ? ipsec/gre?
and which one encrypts data only and not routing information?

thanks guys

Find more posts tagged with

Comments

Jobene

If you place an acl for gre and add it to crypto map u do gre over ipsec and everything is encrypted

the other way means only the ipsec defined data is encrypted

itdaddy

why do you apply it to the interface sometimes and sometime to the tunnel? I thought gre/IPsec was when you applied it to the tunnel interface and IPsec/gre is when you applied it to the interface? I understand gre via acl triggers interesting traffic I get that.

Jobene

you apply the ipsec to the outgoing interface to encrypt everything that is in the tunnel.
gre like every protocoll enncapsule the data and send it over the outgoing interface .

in the old iosversions you had to apply the crypto map to the tunnel too

if you send encrypted traffic over the tunnel ( crypto map only on tunnel ) than routinginformation and data not proteced by the map are in plaintext

itdaddy

right. so if you put crypo map on both, then both gre routing information and data are encrypted,
but
if crypto map is only on the tunnel, gre routing information is exposed?

what is transport mode vs tunnel mode? i thought tunnel mode is the preferred way since it is the one that determines whether a tunnel is encrypted entirely?

Jobene

half :P
192.168.0.0/24
R1 <- INTERNET -> HQ
.1 .2
Tunnel : 192.168.1.0/24

int tunnel 1
ip add 192.168.1.1 255.255.255.0
no shut
ex
router eigrp 1
network 192.168.1.0 // so routing information go through the tunnel

ex

Your Crypto Map (R1 would be .... )

HQ(config)#crypto map maptohq 10 ipsec-isakmp
HQ(config-crypto-map)# set peer 192.168.0.1
HQ(config-crypto-map)# match address 100
HQ(config)#access-list 100 permit gre any any
HQ(config-if)#crypto map maptohq

So u dont need any more cryptomap adding cause every gre ( which is our gre-tunnel with the data / routing inside) gets encrypted.

Transportmode just define that the data is not modified and not encrypted

itdaddy

so you set gre via acl as interesting traffic to trigger the tunnel which carries all data/routing and encrypt it under the interface. but do you use transport mode vs tunnel mode? you use tunnel mode command ?

mackenzae

Just curious are you trying to setup a DMVPN which is a gre tunnel which could have ipsec encryption placed on it or not.. as its not "required" for the tunnels to come up and pass data.