Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec vs. GRE

We are in the middle of planning a DR site for our Hq office. One of the requirements is to be able to allow Internet based users who are accessing our DR site web server, access to our HQ network via a publicly routable IP.

Over 90% of the traffic from our DR site web server is to/from the Internet and back to the user. However, the other 10% from the DR site web server is authentication traffic to our HQ dbase server. Once the users are logged-in most of the remaining traffic is between the user and the DR site web server only. My questions is; would it be best to setup ipsec between the DR site ASA and the HQ site ASA just for the authentication, or would it be better to do GRE?

Thanks,

cc

5 REPLIES

Re: IPSec vs. GRE

GRE is insecure when run without IPSEC. Its all clear-text!

You can use IPSEC (direct encapsulation without GRE) if all the following are true:

a) No Multicast Traffic (like dynamic routing is required)

b) No NON-IP Traffic (IPX etc.) is required to be routed.

Otherwise if any of the above is required, you can use GRE over IPSEC.

Have a look at this link for more details:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008074f22f.pdf

Please rate if helpful.

Regards

Farrukh

New Member

Re: IPSec vs. GRE

Would it be best just to use IPSEC? I'm a little new to the ASA but have worked on PIX 515s before (a couple oy years ago so I'm not a major practitioner).

The main challenge seems to be to allow Internet based users to authenticate from their insecure host(s) on the Internet, to our secure dbase server at HQ. Once they're authenticated most of the remaining traffic will come from the web server at our DR site whihc is closer to them so tunneling to our HQ will not be needed after that. How much bandwidth will IPSEC use per user? The DR site has a 10MB pipe and our HQ site has a 20MB pipe.

Re: IPSec vs. GRE

The overhead introduced by IPSEC depends on the tunneling mechanism you will use. But it seems you have a lot of bandwidth and that should not be a major issue. If you will use the ASA/PIX to terminate your tunnel, then your only option is IPSEC direct encapsulation. GRE is not supported on the ASA/PIX.

Regards

Farrukh

New Member

Re: IPSec vs. GRE

Excellent, I'll start doing my homework. Thank you very much for the advice and the PDF link.

cc

Re: IPSec vs. GRE

No problem at all :)

Please rate if helpful. Regards

Farrukh

381
Views
9
Helpful
5
Replies
CreatePlease to create content