Re: GRE alternatives for PIX

tato386 · ‎09-26-2002

I need to design a VPN network around a PIX 515E hub site and IOS routers at the remote sites. In the past, I have designed VPN networks using only IOS routers. I like to use IPSec encrypted GRE tunnels so that I can run RIP over the VPN and also so that I can create default routes for Internet traffic via the GRE tunnel interfaces to route traffic thru centralized URL monitoring and filtering devices. I was told that the PIX does not support GRE. How can I do the above without GRE? What are my alternatives?

Thanks,

Diego

jekrauss · ‎09-26-2002

Diego,

The pix just doesn't support termination of GRE tunnels. However, you can terminate your GRE tunnels on a router inside of your pix.

ie. router-------pix---------Internet-------------router

gre---------------------------------------------gre (from router to router)

----------------> ipsec-----------------------------ipsec (from pix to router)

The ipsec tunnel on the pix uses the gre traffic as the interesting traffic.

Here's a doc that shows you how to do it:

http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html#diagram

HTH

Jeff

tato386 · ‎09-27-2002

Looks like that might work.

Thanks!

Diego

tato386 · ‎10-08-2002

Jeff:

After looking at that article more closely I see something that might be a problem. The GRE tunnel is being created over the Internet. However, each router references the other router's internal interface with its private IP. Obviously this would not work. The GRE endpoints would have to reference public IPs. This in turn means that the PIXes would have to do some NAT. So the question becomes can the PIX correctly encrypt packets that are being sent to a NATed address. At best, this would complicate the PIX config quite a bit. What about having the internal router with one interface on the DMZ and one on the private network. Wouldn't that be easier?

Thanks,

Diego