Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ipsec on vlan

Hi

I have two routers (C887VAG2 & ASR1006) connected point-to-point, I'm trying to configure ipsec but my phase 2 fails and the gre tunnel protocol remains down. I tried the tunnel protection on VTI's and the application of crypto map on the tunnel interface, when I apply the crypo map on tunnel interface I'm getting the below error message

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface. % NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.

I have attached the configs for both routers, there's no intermediate device.

- is it possible to get a document that explains what headers are added on the packet when vlan and ipsec is used?

- explanation of the difference between gre-over-ipsec vs ipsec-over-gre, the process as the packet enters the router gets encrypted then decrypted on the remote side.

Thanks and regards

Mpho

  • VPN
Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ipsec on vlan

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

% NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.

I have attached the configs for both routers, there's no intermediate device.

Since CSCtj63943 we have disabled this possibility in order to avoid configuring something not supported.

About your 2 questions:

In transport mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp56035

In tunnel mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp58618

Of course GRE over IPSEC need to be setup in transport mode to avoid:

  • Wasting overhead [ saving 20 bytes]
  • NAT compatibility [ Without going into too much details - tunnel mode may not work behind NAT]

Essentially:

GRE over IPSEC

----------------------------------------------------------------------------------------

|IP header|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|GRE header| IP packet      |

-----------------------------------------

IPSEC over GRE [ Supported with GETVPN only]

----------------------------------------------------------------------------------------

|IP header|GRE|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|IP packet                          |

-----------------------------------------

With IPSEC over GRE then you 'leak' some information [ an attacker sees it's a GRE traffic and he could start to try to inject blindy some packets by simply sending some stuff encapsulated into GRE

Let me know if this answer your question.

3 REPLIES
Cisco Employee

Re: ipsec on vlan

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

% NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.

I have attached the configs for both routers, there's no intermediate device.

Since CSCtj63943 we have disabled this possibility in order to avoid configuring something not supported.

About your 2 questions:

In transport mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp56035

In tunnel mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp58618

Of course GRE over IPSEC need to be setup in transport mode to avoid:

  • Wasting overhead [ saving 20 bytes]
  • NAT compatibility [ Without going into too much details - tunnel mode may not work behind NAT]

Essentially:

GRE over IPSEC

----------------------------------------------------------------------------------------

|IP header|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|GRE header| IP packet      |

-----------------------------------------

IPSEC over GRE [ Supported with GETVPN only]

----------------------------------------------------------------------------------------

|IP header|GRE|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|IP packet                          |

-----------------------------------------

With IPSEC over GRE then you 'leak' some information [ an attacker sees it's a GRE traffic and he could start to try to inject blindy some packets by simply sending some stuff encapsulated into GRE

Let me know if this answer your question.

New Member

Re: ipsec on vlan

From a configuration perspective which will determine any of the 2 aforementioned deployment?

For example if I want to use IPSec-over-gre where do I apply my IPSec policy and for gre-over-IPSec where to I apply my IPSec policy?.

Sent from Cisco Technical Support iPad App

New Member

Re: ipsec on vlan

Oh sorry I missed the part where you explicitly mention IPSec-over-gre is supported with getvpn only.

Thanks

Sent from Cisco Technical Support iPad App

729
Views
0
Helpful
3
Replies