I have been going through IPSec & GRE study guides and have a few queries that i am struggling to find an answer for. Kindly help me clear these.
1. IPSec does not support multicast whereas GRE does. I am wondering why IPSec goes not support multicast. I understand IPSec encrypts all data including the IP Header and creates a new IP Header. But from my understanding, even GRE encapsulates the IP Header and creates a new IP Header. Then how come only GRE supports routing?
2. In GRE configuration, we specify the Tunnel Source & Tunnel Destination. Will these ip addresses be the source & destination ip address of the new header that GRE creates?
3. When you run GRE over IPSec, which is the interface to apply crypto_map to? I have seen implementations wherein sometimes its in Tunnel interface, sometimes on the Internet facing interface and sometime even on both?
Thanks in advance for your active participation on this.
1) To assume that routing protocols do not work over IPSec is too much generalization. As you say later in your post the real issue is multicast traffic over IPSe (which does not work until very recent releases of IOS). Since BGP uses unicast (TCP) addressing it will work over IPSec.
2) BGP would still work. BGP will advertise whatever network you tell it to advertise (assuming that the network is found in the IP routing table). If you advertise network 150.x.x.x and that network is not included in the interesting traffic access list then the traffic to and from that network would not be encrypted and would be sent in clear text.
3) If you had configured EIGRP there would be a problem since EIGRP uses multicast advertisements.
Here is a reference which explains the change in requirement for placement of the crypto map:
With IOS 12.2(13)T software and later (higher numbered T-train software, 12.3 and later), the configured IPSec crypto map only needs to be applied to the physical interface and is no longer required to be applied on the GRE tunnel interface. In software versions prior to this release, IPSec crypto maps need to be applied to both the tunnel interface and the physical interface. Having the crypto map on the physical and tunnel interface when using the 12.2.(13)T software and later should still work; however, Cisco highly recommends that you apply it just on the physical interface
If you want additional details here is the link: