Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Error with TAC article concerning GRE

I need to do GRE thru a PIX. I looked at the following article: http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html. I see something here that might be a problem. The GRE tunnel is being created over the Internet. However, each router references the other router's internal interface with its private IP. Obviously this would not work. The GRE endpoints would have to reference public IPs. This in turn means that the PIXes would have to do some NAT. So the question becomes: Can the PIX correctly encrypt/decrypt packets that are being sent to a private address that is being NATed to a public IP? How much will this complicate my crypto maps and access lists? What about having the internal router with one interface on the DMZ and one on the private network. Would that be easier?

Thanks,

Diego

3 REPLIES
Community Member

Re: Error with TAC article concerning GRE

Hi Diego,

You said: "The GRE tunnel is being created over the Internet. However, each router references the other router's internal interface with its private IP. Obviously this would not work. "

However, I think you're misunderstanding what is going on here. The ospf traffic is being enapsulated in GRE by the router, then the gre packet is forwarded to the pix, which encapsulates it in ipsec.

This is necessary because ospf is multicast traffic, which isn't supported by ipsec. So we encapsulate it in gre, which is supported by ipsec.

Consequently, what goes out of the internet is the ipsec packet, carried on its ip transport. The gre (and the private ip's) are encapsulated in the ipsec.

Packet would look like:

[unecrypted ip header[ipsec header[encrypted gre[ospf]]]]

kinda kool, huh?

With the above perspective, hopefully the doc will make more sense to you.

HTH

Jeff

Community Member

Re: Error with TAC article concerning GRE

I guess what has me confused here is that in the past (using IOS routers on both ends) I have first created a GRE tunnel using the public IPs of two routers then I setup and IPSec tunnel (in transport mode) that considers GRE packets between the two public IPs as interesting and therefore encrypts them. This scenario seems to be the sort of the opposite. The PIXes create and IPSec tunnel (in tunnel mode), then considers all traffic between the two private nets as interesting therefore all traffic between the two private nets, including GRE, gets encrypted. Is this correct? On a side note, can the PIX use IPSec in transport mode?

Thanks,

Diego

Community Member

Re: Error with TAC article concerning GRE

1) Note that the pix encryption ACL's are based upon the tunnel ip addresses, which will only be the gre traffic.

2) Between two pix gateways, it's tunnel mode. If you configure the pix to be an endpoint for an l2tp tunnel for windows 2000 clients, then transport mode is used.

i.e.

Configuring L2TP Over IPSec Between PIX Firewall and Windows 2000 PC Using Certificates

http://www.cisco.com/warp/public/110/l2tp-ipsec.html

HTH

Jeff

260
Views
0
Helpful
3
Replies
CreatePlease to create content