Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
Bronze

Tunnel Config - Ipsec/Gre or Gre/Ipsec

I have the following VPN Tunnel setup. My query is - Is this classed as IPSEC over GRE or GRE over IPSEC? I've read over the following link - https://supportforums.cisco.com/discussion/11662911/transport-mode-and-gre-tunnel#3786671 but still a bit unsure on the order of happenings when I send a packet over my tunnel below. Is the original packet encrypted first, then GRE encapsulation 2nd?

 

interface Tunnel9
 description Tunnel to U.S
 ip address 172.27.240.29 255.255.255.252
 ip mtu 1452
 qos pre-classify
 tunnel source x.x.x.x
 tunnel destination y.y.y.y
 tunnel protection ipsec profile US

 


crypto ipsec profile US
 set transform-set site-site

crypto ipsec transform-set site-site esp-des esp-md5-hmac

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

The packets get first

The packets get first encapsulated in GRE and then in IPsec. It has to be that order because only that way you can use GRE for transporting other protocols than IPv4. Another reason for always using IPSec as the outer layer is to give an attacker the least information possible. He won't see if you transport IP, GRE or something else.

10 REPLIES
VIP Purple

The packets get first

The packets get first encapsulated in GRE and then in IPsec. It has to be that order because only that way you can use GRE for transporting other protocols than IPv4. Another reason for always using IPSec as the outer layer is to give an attacker the least information possible. He won't see if you transport IP, GRE or something else.

Bronze

Hi Karsten,Thanks for the

Hi Karsten,

Thanks for the reply. If for example I have OSPF Hellos going across that Tunnel or LSA's , again these are first encapsulated in GRE and then IPSEC and sent over the tunnel?

VIP Purple

No difference with OSPF,

No difference with OSPF, first you encapsulate in GRE, then the packet gets protected with IPsec. (Ok, more or less protected in your example, DES/MD5 isn't anything that should be used any more. But that's independent of the way GRE/IPsec works.)

Bronze

Hi Karsten,Thanks for the

Hi Karsten,

Thanks for the info and also to Joseph. One last query I guess. When using these tunnels - do my ACLs only need to be configured for:

permit esp host x.x.x.x host y.y.y.y
permit udp host x.x.x.x host y.y.y.y eq isakmp

for these tunnels to come up? Same if I use  tunnel mode ipsec ipv4?

VIP Purple

Yes, that's what is needed.

Yes, that's what is needed. If one device is behind a NAT, you also have to add UDP/4500.

Some more info abaout interface-ACLs used with VPNs:

https://supportforums.cisco.com/document/12018566/configuring-interface-acls-vpns

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

BTW, not 100% sure, but 1452 might be a tad large for GRE/IPSec (unless you're using the non-default mode that reduces IPSec overhead [cannot recall whether that tunnel or transport mode]).  Also, if platform supports, recommend using the tcp adjust-mss command.  Lastly, if your platforms support, you might want to switch to VTI tunnels.

Bronze

Hi Joesph,You mention switch

Hi Joesph,

You mention switch to VTI tunnels. Just had a look into this.

By adding the following - tunnel mode ipsec ipv4, this one command stops the tunnel from being GRE, taking away the 4 byte header? What is being used instead of gre in this case?

VIP Purple

> What is being used instead

> What is being used instead of gre in this case?

IP is directly transported in IPsec. So, yes, you have less overhead. But with GRE you have more flexibility. Probably that's the reason, FlexVPN is based on GRE.

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

BTW, you can do routing protocols over VTI tunnels.  Not sure about multicast, but they might be supported too.  I.e. VTI tunnels provide many or all of the same benefit os GRE/IPSec tunnels.

VIP Purple

Yes, that's true. But with

Yes, that's true. But with flexibility I was thinking about Dual-stack deployments (just see, that I forgot to mention that in the last post). GRE supports this while VTIs (as far as I know) still don't.

138
Views
4
Helpful
10
Replies
CreatePlease to create content