01-20-2016 11:49 PM - edited 03-03-2019 08:07 AM
I noticed 2 different ways of configure encryption for S2S tunnel across Internet.
I am wandering what are the different between the 2 method.
Method 1 - Transport method, applied on Tunnel interface
crypto isakmp key abc@123 address 123.123.123.1
crypto ipsec transform-set SET1-TRANSPORT esp-3des esp-md5-hmac
mode transport
crypto ipsec profile PROFILE_SET1-TRANSPORT
set transform-set SET1-TRANSPORT
interface Tunnel1001
ip address 10.10.10.1 255.255.255.252
tunnel source FastEthernet0
tunnel destination 123.123.123.1
tunnel protection ipsec profile PROFILE_SET1-TRANSPORT
Method 2 - Crypto Map method, applied on Physical interface
crypto isakmp key abc@123 address 123.123.123.1
crypto ipsec transform-set SET2-MAP ah-sha-hmac esp-3des
crypto map Fa0map 10 ipsec-isakmp
set peer 123.123.123.1
set transform-set SET2-MAP
match address ACL-SET-MAP
ip access-list extended ACL-SET-MAP
permit gre host 123.123.123.1 host 100.100.100.1
interface Tunnel2001
ip address 10.10.10.1 255.255.255.252
tunnel source FastEthernet0
tunnel destination 123.123.123.1
interface FastEthernet0/1
ip address 100.100.100.1 255.255.255.252
crypto map Fa0map
01-21-2016 12:06 AM
Method 2 is the really really old way of doing it. Method 1 is the way it should be done now.
01-21-2016 12:42 AM
Hi Philip,
Thanks you very much for your feedback.
Do you have any reference link?
01-21-2016 12:47 AM
No. Only years of experience building site to site VPNs.
01-21-2016 01:28 AM
GRE IPSec Transport mode saves approximately 20 bytes per packet overhead. This might save a moderate amount of bandwidth on a WAN link.
If the GRE tunnels and crypto endpoints are not the same (IP address wise), transport mode in definitely not an option.
If packets traverse a device (router) where NAT or PAT is used then again, transport mode cannot be used.
Found some links:
CISCO GRE AND IPSEC - GRE OVER IPSEC - SELECTING AND CONFIGURING GRE IPSEC TUNNEL OR TRANSPORT MODE
CONFIGURING POINT-TO-POINT GRE VPN TUNNELS - UNPROTECTED GRE & PROTECTED GRE OVER IPSEC TUNNELS
CONFIGURING SITE TO SITE IPSEC VPN TUNNEL BETWEEN CISCO ROUTERS
01-21-2016 01:36 AM
I don't think this is the main thrust of the question. Both methods could use tunnel or transport mode, and transport mode will use marginally less traffic compared to tunnel mode, as you have noted.
The original poster was asking about the difference between using an an old style crypto map to encrypt the GRE tunnel versus the newer ipsec profile applied to the GRE tunnel itself.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide