Solved: Yes, that's what is needed.

GRANT3779 · ‎08-20-2014

I have the following VPN Tunnel setup. My query is - Is this classed as IPSEC over GRE or GRE over IPSEC? I've read over the following link - https://supportforums.cisco.com/discussion/11662911/transport-mode-and-gre-tunnel#3786671 but still a bit unsure on the order of happenings when I send a packet over my tunnel below. Is the original packet encrypted first, then GRE encapsulation 2nd?

interface Tunnel9
description Tunnel to U.S
ip address 172.27.240.29 255.255.255.252
ip mtu 1452
qos pre-classify
tunnel source x.x.x.x
tunnel destination y.y.y.y
tunnel protection ipsec profile US

crypto ipsec profile US
set transform-set site-site

crypto ipsec transform-set site-site esp-des esp-md5-hmac

Karsten Iwen · ‎08-20-2014

The packets get first encapsulated in GRE and then in IPsec. It has to be that order because only that way you can use GRE for transporting other protocols than IPv4. Another reason for always using IPSec as the outer layer is to give an attacker the least information possible. He won't see if you transport IP, GRE or something else.

View solution in original post

Karsten Iwen · ‎08-20-2014

The packets get first encapsulated in GRE and then in IPsec. It has to be that order because only that way you can use GRE for transporting other protocols than IPv4. Another reason for always using IPSec as the outer layer is to give an attacker the least information possible. He won't see if you transport IP, GRE or something else.

GRANT3779 · ‎08-20-2014

Hi Karsten,

Thanks for the reply. If for example I have OSPF Hellos going across that Tunnel or LSA's , again these are first encapsulated in GRE and then IPSEC and sent over the tunnel?

Karsten Iwen · ‎08-20-2014

No difference with OSPF, first you encapsulate in GRE, then the packet gets protected with IPsec. (Ok, more or less protected in your example, DES/MD5 isn't anything that should be used any more. But that's independent of the way GRE/IPsec works.)

GRANT3779 · ‎08-21-2014

Hi Karsten,

Thanks for the info and also to Joseph. One last query I guess. When using these tunnels - do my ACLs only need to be configured for:

permit esp host x.x.x.x host y.y.y.y
permit udp host x.x.x.x host y.y.y.y eq isakmp

for these tunnels to come up? Same if I use tunnel mode ipsec ipv4?

Karsten Iwen · ‎08-21-2014

Yes, that's what is needed. If one device is behind a NAT, you also have to add UDP/4500.

Some more info abaout interface-ACLs used with VPNs:

https://supportforums.cisco.com/document/12018566/configuring-interface-acls-vpns

Joseph W. Doherty · ‎08-20-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

BTW, not 100% sure, but 1452 might be a tad large for GRE/IPSec (unless you're using the non-default mode that reduces IPSec overhead [cannot recall whether that tunnel or transport mode]). Also, if platform supports, recommend using the tcp adjust-mss command. Lastly, if your platforms support, you might want to switch to VTI tunnels.

GRANT3779 · ‎08-20-2014

Hi Joesph,

You mention switch to VTI tunnels. Just had a look into this.

By adding the following - tunnel mode ipsec ipv4, this one command stops the tunnel from being GRE, taking away the 4 byte header? What is being used instead of gre in this case?

Karsten Iwen · ‎08-20-2014

> What is being used instead of gre in this case?

IP is directly transported in IPsec. So, yes, you have less overhead. But with GRE you have more flexibility. Probably that's the reason, FlexVPN is based on GRE.

Joseph W. Doherty · ‎08-20-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

BTW, you can do routing protocols over VTI tunnels. Not sure about multicast, but they might be supported too. I.e. VTI tunnels provide many or all of the same benefit os GRE/IPSec tunnels.

Karsten Iwen · ‎08-20-2014

Yes, that's true. But with flexibility I was thinking about Dual-stack deployments (just see, that I forgot to mention that in the last post). GRE supports this while VTIs (as far as I know) still don't.

Tunnel Config - Ipsec/Gre or Gre/Ipsec