cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
872
Views
9
Helpful
5
Replies

IPSec vs. GRE

ccolom
Level 1
Level 1

We are in the middle of planning a DR site for our Hq office. One of the requirements is to be able to allow Internet based users who are accessing our DR site web server, access to our HQ network via a publicly routable IP.

Over 90% of the traffic from our DR site web server is to/from the Internet and back to the user. However, the other 10% from the DR site web server is authentication traffic to our HQ dbase server. Once the users are logged-in most of the remaining traffic is between the user and the DR site web server only. My questions is; would it be best to setup ipsec between the DR site ASA and the HQ site ASA just for the authentication, or would it be better to do GRE?

Thanks,

cc

5 Replies 5

Farrukh Haroon
VIP Alumni
VIP Alumni

GRE is insecure when run without IPSEC. Its all clear-text!

You can use IPSEC (direct encapsulation without GRE) if all the following are true:

a) No Multicast Traffic (like dynamic routing is required)

b) No NON-IP Traffic (IPX etc.) is required to be routed.

Otherwise if any of the above is required, you can use GRE over IPSEC.

Have a look at this link for more details:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008074f22f.pdf

Please rate if helpful.

Regards

Farrukh

Would it be best just to use IPSEC? I'm a little new to the ASA but have worked on PIX 515s before (a couple oy years ago so I'm not a major practitioner).

The main challenge seems to be to allow Internet based users to authenticate from their insecure host(s) on the Internet, to our secure dbase server at HQ. Once they're authenticated most of the remaining traffic will come from the web server at our DR site whihc is closer to them so tunneling to our HQ will not be needed after that. How much bandwidth will IPSEC use per user? The DR site has a 10MB pipe and our HQ site has a 20MB pipe.

The overhead introduced by IPSEC depends on the tunneling mechanism you will use. But it seems you have a lot of bandwidth and that should not be a major issue. If you will use the ASA/PIX to terminate your tunnel, then your only option is IPSEC direct encapsulation. GRE is not supported on the ASA/PIX.

Regards

Farrukh

Excellent, I'll start doing my homework. Thank you very much for the advice and the PDF link.

cc

No problem at all :)

Please rate if helpful. Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: