No IPSEC applied anywhere yet.
If you have 2 routers configured back-to-back with physical interfaces and tunnel interfaces - which path will traffic travel over?
Answer - it will follow the path from the routing table i suppose. Be it OSPF or static routes or whatever.
Now add IPSEC alone.
Now OSPF fails as IPSEC does not support multicast.
Now, add IPSEC and GRE to the mix. Apply the crypto map to both physical and tunnel interfcaes.
Included here is the common ACL that is associated with GRE. That is :-
access-list 100 permit gre host [source physical address] host [destination physical address]
This is the ACL that is supposed to define what traffic is "interesting" and that needs to be encrypted.
Let's repeat the question - where does the traffic go?
I assume its the same answer. Refer to the routing table.
But what traffic is encrypted? Answer - ONLY the traffic that is destined for the tunnel interface IP's.
If you ping from physical to physical it will be unencrypted.
Question - do you need to force ALL traffic down the tunnel interface in order for it to match the ACL and therefore to get encrypted?
How do we accomplish this????
Discussion and debate would be greatly appreciated.
Only traffic with the source/destination of the tunnel interfaces - you only encapsulate & encrypt what enters/exits the tunnel. If you have two sites connected via a IPSEC VPN, the "interesting" traffic for the VPN is the source/destination on the tunnel interfaces....you need to put LAN traffic into the tunnel interfaces. So you either have static routes, or you run a dynamic routing protocol like OSPF or EIGRP.
You could have a default routing pointing to the firewall, a dynamic routing protocol running - so all "internal" traffic will run over the tunnel=encrypted=vpn to remote site, while all "internet" traffic routes to the firewall and leaves normally.