Another GRE question for the week

francisco_1 · ‎09-18-2008

I have terminated ipsec tunnel on two ASA'S, beind the ASA's i have routers forming EIGRP adjacency using the GRE over the ipsec tunnel. Does GRE encapsulate also the ipsec interesting traffic (unicast from the client applications) through the ipsec tunnel or just the routing traffic (None IP) for EIGRP? I am planning to implement QoS.

Francisco

Giuseppe Larosa · ‎09-18-2008

Hello Francisco,

usually if point-to-point GRE over IPSec interesting traffic can be only the GRE packets themselves or GRE plus something else

Every IP subnet advertised in eigrp over the GRE tunnel will be encapsulated as GRE and then in IPSec.

see

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/1_p2pGRE_Phase2_external_docbase_0900e4b180a3efed_4container_external_docbase_0900e4b180ad8740.html

Hope to help

Giuseppe

satish_zanjurne · ‎09-18-2008

It is like

Data Traffic---->Encapsulation GRE------>Encrypted IPSec.

So while defining interesting traffic , you need to define GRE traffic as interesting like

access-list 101 permit gre a.b.c.0 x.x.x.x e.f.g.0 x.x.x.x

where a.b.c.0 is the subnet connecting ASA & router behind ASA..

HTH..rate if helpful..

francisco_1 · ‎09-18-2008

so once the unicast is enacpsulated using GRE by the routers, the ASA will only see the GRE traffic and then encrypt it. right.

satish_zanjurne · ‎09-18-2008

It is right !!!!!!