Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

IPSEC/GRE interesting traffic

Hi Friends,

Need your help to understand with IPSEC is configured with GRE, what will be the interesting traffic? Will that be gre host to host? Or can I define the interesting traffic as LAN to LAN?

I have seen both which made me confused.

http://www.cisco.com/en/US/products/ps6635/products_white_paper09186a0080189153.shtml

The above it LAN to LAN, will this work?

5 REPLIES
Hall of Fame Super Gold

Re: IPSEC/GRE interesting traffic

Yuhui

To understand this example and to apply it to your environment it would be important to understand that Cisco made changes in IOS starting in 12.2(13)T which change the way that the crypto map is used. The example you post is configured for the earlier usage of the crypto map. Unless you are running code 12.2(13)T and earlier your implementation would work differently than the example.

The earlier implementation puts the crypto map on both the physical outbound interface and also on the tunnel interface. And the access list identifies the LAN traffic as interesting. The later implementation put the cyrpto map only on the physical outbound interface and identifies the gre host to gre host and not the LAN traffic as interesting.

I have implemented many IPSec with GRE sites where our access list for interesting traffic has permit only for host gre to host gre and it works very well.

HTH

Rick

Re: IPSEC/GRE interesting traffic

Rick,

The posting deserves a '5' rating. Useful info.

I saw this posting earlier today and I was about to respond the CCO document listed in the original posting was incorrect. Good to know the older code requires LAN traffic to be considered interesting rather than the traffic between GRE peers. I guess all the GRE setup I had done must have been with IOS version 12.2(13)T and later.

Regards,

Sundar

New Member

Re: IPSEC/GRE interesting traffic

Rick,

I just tried 12.4(19), either will work. LAN to LAN need crypto map on tunnel interface, while GRE host to host need crypto map on physical interface.

Hall of Fame Super Gold

Re: IPSEC/GRE interesting traffic

Sundar

Thanks for the response and for the rating. I remember the first set of IPSec/GRE tunnels I tried to do and how frustrated I got until I realized that the map had to be configured on both the tunnel and the physical interface. I never was clear why that was the case but learned clearly that was what was required to get the tunnel to work.

Yuhui

I am surprised that your LAN to LAN needs the crypto map on the tunnel interface. Perhaps it is something about how you are defining interesting traffic?

HTH

Rick

New Member

Re: IPSEC/GRE interesting traffic

Rick,

Yes, I want to get some granular control on the interesting traffic. GRE host to host covers too broad which I think is not secure enough.

I tested with the LAN to LAN with crypto map on tunnle interface, it works.

292
Views
15
Helpful
5
Replies
CreatePlease to create content