03-24-2008 07:42 AM - edited 03-03-2019 09:14 PM
Hi Friends,
Need your help to understand with IPSEC is configured with GRE, what will be the interesting traffic? Will that be gre host to host? Or can I define the interesting traffic as LAN to LAN?
I have seen both which made me confused.
http://www.cisco.com/en/US/products/ps6635/products_white_paper09186a0080189153.shtml
The above it LAN to LAN, will this work?
03-24-2008 09:00 AM
Yuhui
To understand this example and to apply it to your environment it would be important to understand that Cisco made changes in IOS starting in 12.2(13)T which change the way that the crypto map is used. The example you post is configured for the earlier usage of the crypto map. Unless you are running code 12.2(13)T and earlier your implementation would work differently than the example.
The earlier implementation puts the crypto map on both the physical outbound interface and also on the tunnel interface. And the access list identifies the LAN traffic as interesting. The later implementation put the cyrpto map only on the physical outbound interface and identifies the gre host to gre host and not the LAN traffic as interesting.
I have implemented many IPSec with GRE sites where our access list for interesting traffic has permit only for host gre to host gre and it works very well.
HTH
Rick
03-24-2008 08:06 PM
Rick,
The posting deserves a '5' rating. Useful info.
I saw this posting earlier today and I was about to respond the CCO document listed in the original posting was incorrect. Good to know the older code requires LAN traffic to be considered interesting rather than the traffic between GRE peers. I guess all the GRE setup I had done must have been with IOS version 12.2(13)T and later.
Regards,
Sundar
03-25-2008 09:27 AM
Rick,
I just tried 12.4(19), either will work. LAN to LAN need crypto map on tunnel interface, while GRE host to host need crypto map on physical interface.
03-25-2008 12:56 PM
Sundar
Thanks for the response and for the rating. I remember the first set of IPSec/GRE tunnels I tried to do and how frustrated I got until I realized that the map had to be configured on both the tunnel and the physical interface. I never was clear why that was the case but learned clearly that was what was required to get the tunnel to work.
Yuhui
I am surprised that your LAN to LAN needs the crypto map on the tunnel interface. Perhaps it is something about how you are defining interesting traffic?
HTH
Rick
03-25-2008 01:28 PM
Rick,
Yes, I want to get some granular control on the interesting traffic. GRE host to host covers too broad which I think is not secure enough.
I tested with the LAN to LAN with crypto map on tunnle interface, it works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide