×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Error with TAC article concerning GRE

Unanswered Question
Oct 9th, 2002
User Badges:

I need to do GRE thru a PIX. I looked at the following article: http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html. I see something here that might be a problem. The GRE tunnel is being created over the Internet. However, each router references the other router's internal interface with its private IP. Obviously this would not work. The GRE endpoints would have to reference public IPs. This in turn means that the PIXes would have to do some NAT. So the question becomes: Can the PIX correctly encrypt/decrypt packets that are being sent to a private address that is being NATed to a public IP? How much will this complicate my crypto maps and access lists? What about having the internal router with one interface on the DMZ and one on the private network. Would that be easier?


Thanks,

Diego

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jekrauss Wed, 10/09/2002 - 15:17
User Badges:

Hi Diego,


You said: "The GRE tunnel is being created over the Internet. However, each router references the other router's internal interface with its private IP. Obviously this would not work. "



However, I think you're misunderstanding what is going on here. The ospf traffic is being enapsulated in GRE by the router, then the gre packet is forwarded to the pix, which encapsulates it in ipsec.


This is necessary because ospf is multicast traffic, which isn't supported by ipsec. So we encapsulate it in gre, which is supported by ipsec.


Consequently, what goes out of the internet is the ipsec packet, carried on its ip transport. The gre (and the private ip's) are encapsulated in the ipsec.


Packet would look like:

[unecrypted ip header[ipsec header[encrypted gre[ospf]]]]


kinda kool, huh?


With the above perspective, hopefully the doc will make more sense to you.


HTH

Jeff









DIEGO ALONSO Fri, 10/11/2002 - 05:49
User Badges:

I guess what has me confused here is that in the past (using IOS routers on both ends) I have first created a GRE tunnel using the public IPs of two routers then I setup and IPSec tunnel (in transport mode) that considers GRE packets between the two public IPs as interesting and therefore encrypts them. This scenario seems to be the sort of the opposite. The PIXes create and IPSec tunnel (in tunnel mode), then considers all traffic between the two private nets as interesting therefore all traffic between the two private nets, including GRE, gets encrypted. Is this correct? On a side note, can the PIX use IPSec in transport mode?


Thanks,

Diego


jekrauss Sun, 10/13/2002 - 07:55
User Badges:

1) Note that the pix encryption ACL's are based upon the tunnel ip addresses, which will only be the gre traffic.


2) Between two pix gateways, it's tunnel mode. If you configure the pix to be an endpoint for an l2tp tunnel for windows 2000 clients, then transport mode is used.


i.e.

Configuring L2TP Over IPSec Between PIX Firewall and Windows 2000 PC Using Certificates

http://www.cisco.com/warp/public/110/l2tp-ipsec.html



HTH

Jeff

Actions

This Discussion