GRE over IPsec

lildeezul

Hi everyone, i reading chapter in the ISCW cert guide convering GRE over IPsec.

In the certguide, i havent finished the chapter, but they talked about how to configure GRE using tunnel interfaces, using the CLI, but they didnt show the GRE configuration with IPSEC and IKE features using the CLI.


I know how to create an IPsec Site-site Vpn using CLI, and i know how to create a GRE tunnel ip over ip.. question arise when putting these two together...Once i create my Ike, and Ipsec policeis and transform sets do i create crypto map and apply it to the tunnel interface or does it get applied to the regular physical interface like the IPsec site-site vpn configuration does.

Also what about interesting traffic, is it permitted IP or GRE ??

those are some question that arose in my head when i was reading the GREover Ipsec chapter..

can anyone help out ?

_maurice

Good question; check this out --> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

The config in this example has it on both physical and tunnel interfaces. but there is a note near the top of the page:

IOS Configuration Note: With Cisco IOS 12.2(13)T and later codes (higher numbered T-train codes, 12.3 and later codes) the configured IPSEC "crypto map" only needs to be applied to the physical interface and is no longer required to be applied on the GRE tunnel interface. Having the "crypto map" on the physical and tunnel interface when using the 12.2.(13)T and later codes still works. However, it is highly recommended to apply it just on the physical interface.

And to answer your second question, it looks like the interesting traffic access list is the physical interfaces the GRE tunnels are bound to.

lildeezul

thanks for that link..

i waitin on some memory upgrades, so i can lab up this material... i really want to configure it, and get a hands on learning from these chapter i read.
Very interesting stuff though..

i am still a little confused about the ACL....

lets say 192.168.0.0/24 started the interesting traffic to 172.16.0.0/24

on a IPsec site-site vpn without GRE... the config would be

access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

but with the GRE over ipsec...would this config be this ??

access-list 100 permit gre 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

???

dtlokee

For GRE tunnels the access list should specify GRE between the tunnel endpoints.

Also the "tunnel protection" command on the tunnel interface simplifies things because you don'd to create a crypto acl.

lildeezul

thanks for the information..

Again, i cant wait to lab this up....

does the ISCW test on this, or is this a CCSP track objective.

lildeezul

Cisco Blog: VPN Virtual Tunnel Interfaces

i was reading up on that article, and i acutally i actually liked the profile... basically is the same as the crypto map but with less commands, such as set peer, and match address.

also i noticed, tunnel mode ipsec ipv4.. and not GRE ip.

man... this stuff is amazing, i love doing this stuff...
i got my memory in yesterday, and i am still doing some xmodem IOS uploads, i have like 2 routers left, and then i can lab up this material....:D

Also.. i was wondering when that article did the ipsec profile, he didnt create an extended access list to define interesting traffic ?? why is that, will everything that sent over the link be secure ?
what if you dont want some subnets to utilize the secure channel of ipsec.
how would you go about this ?

dtlokee

lildeezul wrote: »

Cisco Blog: VPN Virtual Tunnel Interfaces

i was reading up on that article, and i acutally i actually liked the profile... basically is the same as the crypto map but with less commands, such as set peer, and match address.

also i noticed, tunnel mode ipsec ipv4.. and not GRE ip.

man... this stuff is amazing, i love doing this stuff...
i got my memory in yesterday, and i am still doing some xmodem IOS uploads, i have like 2 routers left, and then i can lab up this material....:D

Also.. i was wondering when that article did the ipsec profile, he didnt create an extended access list to define interesting traffic ?? why is that, will everything that sent over the link be secure ?
what if you dont want some subnets to utilize the secure channel of ipsec.
how would you go about this ?

Few things:

1. You can use GRE or IP in IP, GRE will need to add an additional header that will lead to additional overhead vs IP in IP
2. You don't need an ACL because it is assumed that all traffic traversing the tunnel will be encrypted. This is the same as it would be if you used a crypto map and ACL that matched the GRE packets (because the ACL doesn't see the inner header only the outer one. If you want to restrict traffic from traversing the tunnel, use an ACL on the tunnel interface itself.
3. If you want some traffic to be encrypted and some not to be encrypted when useing tunnels you would need to create 2 tunnels and manipulate routing tables or policy route the traffic. I don't think this is really the best way if you are using a public network I would encrypt all of the traffic.

lildeezul

dtlokee wrote: »

Few things:

1. You can use GRE or IP in IP, GRE will need to add an additional header that will lead to additional overhead vs IP in IP
2. You don't need an ACL because it is assumed that all traffic traversing the tunnel will be encrypted. This is the same as it would be if you used a crypto map and ACL that matched the GRE packets (because the ACL doesn't see the inner header only the outer one. If you want to restrict traffic from traversing the tunnel, use an ACL on the tunnel interface itself.
3. If you want some traffic to be encrypted and some not to be encrypted when useing tunnels you would need to create 2 tunnels and manipulate routing tables or policy route the traffic. I don't think this is really the best way if you are using a public network I would encrypt all of the traffic.

thanks for your help... It makes sense now..