GRE over IPSec and Windows Clients Authentication

delin · ‎07-28-2005

Hi all,

We have two sites A and B. On site A we have PIX 515 and a T1 line. We need to establish connection to site B to allow the windows 2000 domain clients on site B to authenticate with the domain controller on site A and to acquire IP addresses form DHCP server. Also the clients at site B will need to browse the network at site A and use shared resources. Site B will connect to the internet over a DSL line and DSL modem provided by ISP.

My question is: is it possible to connect transparently sites A and B using GRE to meet the above requirements? Also is it possible to encrypt the GRE tunnel using IPSec?

How well does the PIX (OS 6.3) support the GRE protocol and what other Cisco device we may need at site B? As far as I know it is not possible (or hard to do) to use IPSec behind NAT. So we probably will need a DSL modem which can work in bridge mode and connect it directly to whatever device we use at site B?

If the above is correct the Cisco device we need to use at site B also should provide NAT services.

Richard Burts · ‎07-28-2005

When you say you want to transparently connect A and B do I assume that you are talking about bridging the two sites together? Bridging traffic over GRE tunnels is officially not supported. I have heard from some people who have done it and say that it has worked for them. It may work for you. But if you try it and have a problem then Cisco has no obligation to fix whatever is not working. Do you want to take that risk?

If you do decide to use GRE tunnels it can be done to encrypt the GRE tunnel with IPSec. I have done a number of implementations where we set up GRE tunnels and used IPSec to encrypt them. It works quite well.

One issue with GRE is that as far as I know GRE is not supported on PIX. So you would need a router to terminate the GRE tunnels.

HTH

Rick

HTH

Rick