Encrypted GRE Tunnels

jwatpiii40 · ‎11-08-2012

All,

I'm in a situation where I already have GRE tunnels connecting one environment to another. One of the physical layer connections between a tunnel endpoint and an intermediate device is going to become a shared medium between two different companies. We have been asked to ensure our data is protected by encrypting it over this shared link.

We came up with two solutions so far - the first is to build an IPSEC VPN between the tunnel endpoints and run the GRE tunnels over that, but I thought it might be even simpler to simply encrypt the existing GRE tunnels themselves with IPSEC.

I found the following document:

https://learningnetwork.cisco.com/docs/DOC-2457

Which outlines what I believe to be a straightforward process for doing this, however, when I try to set the GRE tunnel mode to IPSEC, the IOS (6504, entservicesk9) does NOT take the command, nor does it show "ipsec" as an option.

Is this a function only available in a security services IOS or am I misinterpreting the capabilities and intent of ipsec enabled GRE?

Any input is greatly appreciated.

Marwan ALshawi · ‎11-12-2012

check out this link

https://supportforums.cisco.com/thread/200414

hope this help

Richard Burts · ‎11-17-2012

I am glad that you found this link which does address the issue of support for IPSec (and especially the VTI implementation which uses tunnel protection). I was a contributor to that thread. And it was accurate when we discussed it back in 2007. But times have changed and Cisco has enhanced the offerings on the 6500 platform. Here is an interesting quote from Cisco documentation:

IPsec VTI is supported in Cisco IOS Release 12.2(33)SXH and later releases, and is not supported in crypto-connect mode.

Here is a link to the documentation if you want more detail

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/configuration/6500series/76cfvpna.html

I am not authoritative on this but it looks to me that you need the VPN SPA on the 6500 for this to work. I suspect that this is the main reason why Joseph was not successful in attempting this configuration.

HTH

Rick

HTH

Rick

Marwan ALshawi · ‎11-18-2012

Rick your answer was clear at that time and still applicable as the original poster is after encrypting a GRE tunnel without VTI

however VTI could be an option here but you need to understand what it dose and dose not support compared to the normal GRE/IPsec site to site VPN tunnel

Restrictions for IPsec Virtual Tunnel Interface

IPsec Transform Set

The IPsec transform set must be configured in tunnel mode only.

IKE Security Association

The Internet Key Exchange (IKE) security association (SA) is bound to the VTI. Because IKE SA is bound to the VTI, the same IKE SA cannot be used for a crypto map.

IPsec SA Traffic Selectors

Static VTIs support only a single IPsec SA that is attached to the VTI interface. The traffic selector for the IPsec SA is always "IP any any."

A dynamic VTI also is a point-point interface that supports only a single IPsec SA, but the dynamic VTI is flexible in that it can accept the IPsec selectors that are proposed by the initiator.

Proxy

Static VTIs support only the "IP any any" proxy.

Dynamic VTIs support only one proxy, which can be "IP any any" or any subset of it.

QoS Traffic Shaping

The shaped traffic is process switched.

Stateful Failover

IPsec stateful failover is not supported with IPsec VTIs.

Static VTIs Versus GRE Tunnels

The IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which have a wider application for IPsec implementation.

HTH