×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSEC

Unanswered Question
May 28th, 2012
User Badges:

Hi

For an IPSEC over GRE Tunnel  is it adviced to have tunnel config on Internet  Router and IPSEC on firewall also considering that UserVPN will be configured on ASA, internet browsing for LAN users, Email traffic will flow inside-to-outside and vice-versa








cheers

Anthony

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Peter Paluch Mon, 05/28/2012 - 23:20
User Badges:
  • Cisco Employee,

Hello Anthony,


Please note that the usual combination of IPsec and GRE is GRE-over-IPsec, not vice versa as you indicated. First the traffic is GRE-encapsulated and then it is IPsec-protected. The decryption/decapsulation is performed in the reverse order.


ASA boxes are unable to terminate GRE tunnels. They can serve as endpoints of IPsec tunnels but they do not support GRE tunneling themselves - they only pass GRE traffic transparently. If a GRE-over-IPsec tunnel is used, the ASA can terminate the IPsec tunnel but the GRE tunnel must be terminated on the router.


So in your case, the GRE configuration must be placed at the router because the ASA has no support for it. The IPsec termination - that's a different story. You can place it either on the router or on the ASA. The ASA can generally be expected to provide higher encryption/decryption performance than routers so the IPsec would be probably better configured on the ASA. However, it is now questionable how the GRE flows will look like: the IPsec traffic will go through the router, terminate at the ASA, get decrypted, and the resulting GRE packets will have to be sent back to the router. That does not seem reasonable.


Perhaps you should think about putting the ASA before the router.


Best regards,

Peter

anthony.dyne Tue, 05/29/2012 - 00:00
User Badges:

Peter thanks for kind information. how can we have ASA before the router.  ISP link is terminated on Router.


Help me to understand what infrastructure different companies got  where HO terminated GRE over IPSEC , web hosting services, email services , SSL user VPN, User VPN using cisco client, browsing facility for LAN users.


I am interested in seeing placement of devices and traffic flow


what i understand

Backbone-switch>>Distribution-switches>>access-switches  (( this is for switches ))

Backbone-switch>>Firewall>>Internet-Router  (Internet-traffic))

Peter Paluch Tue, 05/29/2012 - 00:17
User Badges:
  • Cisco Employee,

Hi Anthony,


What technology is used to connect you to the ISP? Is it an Ethernet hand-off or some kind of DSL? What is the speed of this connection?


Regarding the recommended infrastructure, there are no hard rules although there are some recommended designs available - but they usually tend to get quite costly as they like to have dedicated devices for dedicated purposes, i.e. SSL VPNs and remote access IPsec VPNs are terminated on dedicated devices, GRE tunnels are terminated on dedicated devices, and routers facing the internet do not directly deal with GRE or IPsec/SSL.


What kinds of devices do you have, anyway? Knowing their exact types and information about installed crypto modules, VPN accelerators, etc. would be helpful.


In case you want to remain with your current topology there are two options:


  1. Terminate the GRE-over-IPsec including the IPsec on the router, and let the ASA handle all the other IPsec/SSL stuff
  2. Terminate all encrypted traffic on the ASA, and then expect the GRE to go from ASA back to router, and after decapsulation, again from the router back to the ASA and to the internal network.


I know too little about your network and your requirements on the connectivity to talk about the traffic flows. So far, I only see three devices - router, ASA, Cat3560 - and I have no information about the remote users, GRE traffic, etc. To comment on those issues, we would need to understand your needs in much greater detail.


Best regards,

Peter

Actions

This Discussion

Related Content