Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
15
Helpful
5
Replies

IPSEC/GRE interesting traffic

yuhuiyao
Level 1
Level 1

‎03-24-2008 07:42 AM - edited ‎03-03-2019 09:14 PM

Hi Friends,

Need your help to understand with IPSEC is configured with GRE, what will be the interesting traffic? Will that be gre host to host? Or can I define the interesting traffic as LAN to LAN?

I have seen both which made me confused.

http://www.cisco.com/en/US/products/ps6635/products_white_paper09186a0080189153.shtml

The above it LAN to LAN, will this work?

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎03-24-2008 09:00 AM

Yuhui

To understand this example and to apply it to your environment it would be important to understand that Cisco made changes in IOS starting in 12.2(13)T which change the way that the crypto map is used. The example you post is configured for the earlier usage of the crypto map. Unless you are running code 12.2(13)T and earlier your implementation would work differently than the example.

The earlier implementation puts the crypto map on both the physical outbound interface and also on the tunnel interface. And the access list identifies the LAN traffic as interesting. The later implementation put the cyrpto map only on the physical outbound interface and identifies the gre host to gre host and not the LAN traffic as interesting.

I have implemented many IPSec with GRE sites where our access list for interesting traffic has permit only for host gre to host gre and it works very well.

HTH

Rick

HTH

Rick

sundar.palaniappan
Level 10
Level 10
In response to Richard Burts

‎03-24-2008 08:06 PM

Rick,

The posting deserves a '5' rating. Useful info.

I saw this posting earlier today and I was about to respond the CCO document listed in the original posting was incorrect. Good to know the older code requires LAN traffic to be considered interesting rather than the traffic between GRE peers. I guess all the GRE setup I had done must have been with IOS version 12.2(13)T and later.

Regards,

Sundar

0 Helpful

yuhuiyao
Level 1
Level 1
In response to Richard Burts

‎03-25-2008 09:27 AM

Rick,

I just tried 12.4(19), either will work. LAN to LAN need crypto map on tunnel interface, while GRE host to host need crypto map on physical interface.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to yuhuiyao

‎03-25-2008 12:56 PM

Sundar

Thanks for the response and for the rating. I remember the first set of IPSec/GRE tunnels I tried to do and how frustrated I got until I realized that the map had to be configured on both the tunnel and the physical interface. I never was clear why that was the case but learned clearly that was what was required to get the tunnel to work.

Yuhui

I am surprised that your LAN to LAN needs the crypto map on the tunnel interface. Perhaps it is something about how you are defining interesting traffic?

HTH

Rick

HTH

Rick
0 Helpful

yuhuiyao
Level 1
Level 1
In response to Richard Burts

‎03-25-2008 01:28 PM

Rick,

Yes, I want to get some granular control on the interesting traffic. GRE host to host covers too broad which I think is not secure enough.

I tested with the LAN to LAN with crypto map on tunnle interface, it works.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card