Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPsec with GRE question

Hi,

Anyone has good reference doc about GRE with IPsec .

I am a little confused about 2 flavors of crypto ACL used:

A) permit ip <source-net> <destination-net>

B) permit gre any any

It seems option A is encry first then GRE encap, while option B is encap first then encrypt.

Is there a good ref about these setups?

Thanks

Michael

  • Other Security Subjects
4 REPLIES
New Member

Re: IPsec with GRE question

I am unsure about any good references. I guess it all depends on what you want to do. It also depends on if you are running a GRE tunnel (which is optional) as well.

Option A would encrypt all traffic matching the ACL. Option B, would encrypt all tunnel traffic leaving that interface.

It all depends on what you want to accomplish. I ended up going with option B as we had a large amount of tunnels and it was just easier for me to see.

I can tell you, about the most important thing you can do for VPN router to router access is to get loopbacks on the router(s) in question.

Mike

New Member

Re: IPsec with GRE question

Cisco Employee

Re: IPsec with GRE question

Hi,

Cisco SDM might help you. Its a UI device manager which comes with access routers and help you in setting up your VPN network with ease.

Please take a look at http://www.cisco.com/go/SDM

Regards,

Ravikumar

New Member

Re: IPsec with GRE question

Hi Macheal,

As you understand, there are 2 ways to use IPSec with GRE. One GRE inside IPSec (this is the most oftenly used) and IPSec inside GRE. Your option A is the case of IPSec inside GRE and option B is the case of GRE inside IPSec.

You would require GRE inside IPSec when you want to non-IP packets or multicast packets to be encrypted and sent over a tunnel. This is because IPSec can encrypt only unicast traffic. For eg: A routing protocol like RIP uses multicast for communicating with RIP enabled routers. In this case, the multicast traffic is first encapsulated with GRE(which will turn the multicast packet to unicast packet by changing the source and destination address as the tunnel source and destination address) and then IPSec is applied on it.

The necessary rule of thumb is:

-------------------------------------------

For GRE inside IPSec tunnel, use only GRE as the protocol and the GRE tunnel end points as the traffic source and destination in the crypto ACL.

For IPSec inside GRE tunnel, use only IP as the protocol and only hosts as the traffic source and destination in your crypto ACL.

Hope that is clear. Let me know if you have more questions.

Naveen.

mnaveen@cisco.com

109
Views
0
Helpful
4
Replies
This widget could not be displayed.