IPSEC

anthony.dyne · ‎05-28-2012

Hi

For an IPSEC over GRE Tunnel is it adviced to have tunnel config on Internet Router and IPSEC on firewall also considering that UserVPN will be configured on ASA, internet browsing for LAN users, Email traffic will flow inside-to-outside and vice-versa

cheers

Anthony

Peter Paluch · ‎05-28-2012

Hello Anthony,

Please note that the usual combination of IPsec and GRE is GRE-over-IPsec, not vice versa as you indicated. First the traffic is GRE-encapsulated and then it is IPsec-protected. The decryption/decapsulation is performed in the reverse order.

ASA boxes are unable to terminate GRE tunnels. They can serve as endpoints of IPsec tunnels but they do not support GRE tunneling themselves - they only pass GRE traffic transparently. If a GRE-over-IPsec tunnel is used, the ASA can terminate the IPsec tunnel but the GRE tunnel must be terminated on the router.

So in your case, the GRE configuration must be placed at the router because the ASA has no support for it. The IPsec termination - that's a different story. You can place it either on the router or on the ASA. The ASA can generally be expected to provide higher encryption/decryption performance than routers so the IPsec would be probably better configured on the ASA. However, it is now questionable how the GRE flows will look like: the IPsec traffic will go through the router, terminate at the ASA, get decrypted, and the resulting GRE packets will have to be sent back to the router. That does not seem reasonable.

Perhaps you should think about putting the ASA before the router.

Best regards,

Peter

anthony.dyne · ‎05-29-2012

Peter thanks for kind information. how can we have ASA before the router. ISP link is terminated on Router.

Help me to understand what infrastructure different companies got where HO terminated GRE over IPSEC , web hosting services, email services , SSL user VPN, User VPN using cisco client, browsing facility for LAN users.

I am interested in seeing placement of devices and traffic flow

what i understand

Backbone-switch>>Distribution-switches>>access-switches (( this is for switches ))

Backbone-switch>>Firewall>>Internet-Router (Internet-traffic))

Peter Paluch · ‎05-29-2012

Hi Anthony,

What technology is used to connect you to the ISP? Is it an Ethernet hand-off or some kind of DSL? What is the speed of this connection?

Regarding the recommended infrastructure, there are no hard rules although there are some recommended designs available - but they usually tend to get quite costly as they like to have dedicated devices for dedicated purposes, i.e. SSL VPNs and remote access IPsec VPNs are terminated on dedicated devices, GRE tunnels are terminated on dedicated devices, and routers facing the internet do not directly deal with GRE or IPsec/SSL.

What kinds of devices do you have, anyway? Knowing their exact types and information about installed crypto modules, VPN accelerators, etc. would be helpful.

In case you want to remain with your current topology there are two options:

Terminate the GRE-over-IPsec including the IPsec on the router, and let the ASA handle all the other IPsec/SSL stuff
Terminate all encrypted traffic on the ASA, and then expect the GRE to go from ASA back to router, and after decapsulation, again from the router back to the ASA and to the internal network.

I know too little about your network and your requirements on the connectivity to talk about the traffic flows. So far, I only see three devices - router, ASA, Cat3560 - and I have no information about the remote users, GRE traffic, etc. To comment on those issues, we would need to understand your needs in much greater detail.

Best regards,

Peter