cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
667
Views
0
Helpful
5
Replies

Different S2S encryption method

limlayhin
Level 1
Level 1

I noticed 2 different ways of configure encryption for S2S tunnel across Internet. 

I am wandering what are the different between the 2 method. 

Method 1 - Transport method, applied on Tunnel interface

crypto isakmp key abc@123 address 123.123.123.1

crypto ipsec transform-set SET1-TRANSPORT esp-3des esp-md5-hmac
mode transport

crypto ipsec profile PROFILE_SET1-TRANSPORT
set transform-set SET1-TRANSPORT


interface Tunnel1001
ip address 10.10.10.1 255.255.255.252
tunnel source FastEthernet0
tunnel destination 123.123.123.1
tunnel protection ipsec profile PROFILE_SET1-TRANSPORT

Method 2 - Crypto Map method, applied on Physical interface

crypto isakmp key abc@123 address 123.123.123.1
crypto ipsec transform-set SET2-MAP ah-sha-hmac esp-3des

crypto map Fa0map 10 ipsec-isakmp
set peer 123.123.123.1
set transform-set SET2-MAP
match address ACL-SET-MAP


ip access-list extended ACL-SET-MAP
permit gre host 123.123.123.1 host 100.100.100.1

interface Tunnel2001
ip address 10.10.10.1 255.255.255.252
tunnel source FastEthernet0
tunnel destination 123.123.123.1

interface FastEthernet0/1
ip address 100.100.100.1 255.255.255.252
crypto map Fa0map

5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

Method 2 is the really really old way of doing it.  Method 1 is the way it should be done now.

Hi Philip,

Thanks you very much for your feedback. 

Do you have any reference link? 

No.  Only years of experience building site to site VPNs.

limlayhin
Level 1
Level 1

GRE IPSec Transport mode saves approximately 20 bytes per packet overhead. This might save a moderate amount of bandwidth on a WAN link.

If the GRE tunnels and crypto endpoints are not the same (IP address wise), transport mode in definitely not an option.

If packets traverse a device (router) where NAT or PAT is used then again, transport mode cannot be used.

Found some links: 

CISCO GRE AND IPSEC - GRE OVER IPSEC - SELECTING AND CONFIGURING GRE IPSEC TUNNEL OR TRANSPORT MODE

CONFIGURING POINT-TO-POINT GRE VPN TUNNELS - UNPROTECTED GRE & PROTECTED GRE OVER IPSEC TUNNELS

CONFIGURING SITE TO SITE IPSEC VPN TUNNEL BETWEEN CISCO ROUTERS

I don't think this is the main thrust of the question.  Both methods could use tunnel or transport mode, and transport mode will use marginally less traffic compared to tunnel mode, as you have noted.

The original poster was asking about the difference between using an an old style crypto map to encrypt the GRE tunnel versus the newer ipsec profile applied to the GRE tunnel itself.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco