gre/ipsec or ipsec/gre

itdaddyitdaddy Senior MemberMember Posts: 2,089 ■■■■□□□□□□
gre/ipsec applied to the tunnel
ipsec/gre applied to the interface


which one encrypts everything data and routing information ? ipsec/gre?
and which one encrypts data only and not routing information?

thanks guys


  • JobeneJobene Member Posts: 63 ■■■□□□□□□□
    If you place an acl for gre and add it to crypto map u do gre over ipsec and everything is encrypted

    the other way means only the ipsec defined data is encrypted
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    why do you apply it to the interface sometimes and sometime to the tunnel? I thought gre/IPsec was when you applied it to the tunnel interface and IPsec/gre is when you applied it to the interface? I understand gre via acl triggers interesting traffic I get that.
  • JobeneJobene Member Posts: 63 ■■■□□□□□□□
    you apply the ipsec to the outgoing interface to encrypt everything that is in the tunnel.
    gre like every protocoll enncapsule the data and send it over the outgoing interface .

    in the old iosversions you had to apply the crypto map to the tunnel too

    if you send encrypted traffic over the tunnel ( crypto map only on tunnel ) than routinginformation and data not proteced by the map are in plaintext
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    right. so if you put crypo map on both, then both gre routing information and data are encrypted,
    if crypto map is only on the tunnel, gre routing information is exposed?

    what is transport mode vs tunnel mode? i thought tunnel mode is the preferred way since it is the one that determines whether a tunnel is encrypted entirely?
  • JobeneJobene Member Posts: 63 ■■■□□□□□□□
    half :P
    R1 <- INTERNET -> HQ
    .1 .2
    Tunnel :

    int tunnel 1
    ip add
    no shut
    router eigrp 1
    network // so routing information go through the tunnel ;)

    Your Crypto Map (R1 would be .... )

    HQ(config)#crypto map maptohq 10 ipsec-isakmp
    HQ(config-crypto-map)# set peer
    HQ(config-crypto-map)# match address 100
    HQ(config)#access-list 100 permit gre any any
    HQ(config-if)#crypto map maptohq

    So u dont need any more cryptomap adding cause every gre ( which is our gre-tunnel with the data / routing inside) gets encrypted.

    Transportmode just define that the data is not modified and not encrypted
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    so you set gre via acl as interesting traffic to trigger the tunnel which carries all data/routing and encrypt it under the interface. but do you use transport mode vs tunnel mode? you use tunnel mode command ?
  • mackenzaemackenzae Member Posts: 77 ■□□□□□□□□□
    Just curious are you trying to setup a DMVPN which is a gre tunnel which could have ipsec encryption placed on it or not.. as its not "required" for the tunnels to come up and pass data.
Sign In or Register to comment.