gre/ipsec or ipsec/gre
itdaddy
Member Posts: 2,089 ■■■■□□□□□□
gre/ipsec applied to the tunnel
ipsec/gre applied to the interface
right?
which one encrypts everything data and routing information ? ipsec/gre?
and which one encrypts data only and not routing information?
thanks guys
ipsec/gre applied to the interface
right?
which one encrypts everything data and routing information ? ipsec/gre?
and which one encrypts data only and not routing information?
thanks guys
Comments
-
Jobene Member Posts: 63 ■■■□□□□□□□If you place an acl for gre and add it to crypto map u do gre over ipsec and everything is encrypted
the other way means only the ipsec defined data is encrypted -
itdaddy Member Posts: 2,089 ■■■■□□□□□□why do you apply it to the interface sometimes and sometime to the tunnel? I thought gre/IPsec was when you applied it to the tunnel interface and IPsec/gre is when you applied it to the interface? I understand gre via acl triggers interesting traffic I get that.
-
Jobene Member Posts: 63 ■■■□□□□□□□you apply the ipsec to the outgoing interface to encrypt everything that is in the tunnel.
gre like every protocoll enncapsule the data and send it over the outgoing interface .
in the old iosversions you had to apply the crypto map to the tunnel too
if you send encrypted traffic over the tunnel ( crypto map only on tunnel ) than routinginformation and data not proteced by the map are in plaintext -
itdaddy Member Posts: 2,089 ■■■■□□□□□□right. so if you put crypo map on both, then both gre routing information and data are encrypted,
but
if crypto map is only on the tunnel, gre routing information is exposed?
what is transport mode vs tunnel mode? i thought tunnel mode is the preferred way since it is the one that determines whether a tunnel is encrypted entirely? -
Jobene Member Posts: 63 ■■■□□□□□□□half :P
192.168.0.0/24
R1 <- INTERNET -> HQ
.1 .2
Tunnel : 192.168.1.0/24
int tunnel 1
ip add 192.168.1.1 255.255.255.0
no shut
ex
router eigrp 1
network 192.168.1.0 // so routing information go through the tunnel
ex
Your Crypto Map (R1 would be .... )
HQ(config)#crypto map maptohq 10 ipsec-isakmp
HQ(config-crypto-map)# set peer 192.168.0.1
HQ(config-crypto-map)# match address 100
HQ(config)#access-list 100 permit gre any any
HQ(config-if)#crypto map maptohq
So u dont need any more cryptomap adding cause every gre ( which is our gre-tunnel with the data / routing inside) gets encrypted.
Transportmode just define that the data is not modified and not encrypted -
itdaddy Member Posts: 2,089 ■■■■□□□□□□so you set gre via acl as interesting traffic to trigger the tunnel which carries all data/routing and encrypt it under the interface. but do you use transport mode vs tunnel mode? you use tunnel mode command ?
-
mackenzae Member Posts: 77 ■□□□□□□□□□Just curious are you trying to setup a DMVPN which is a gre tunnel which could have ipsec encryption placed on it or not.. as its not "required" for the tunnels to come up and pass data.