Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
4449
Views
11
Helpful
2
Comments

GRE over IPSec Crypto map versus Tunnel Protection (IPsec Profile)

Meddane
VIP
VIP
‎05-21-2022 03:01 PM

GRE over IPSec Crypto map

 

int tunnel 1
ip add 172.16.1.1 255.255.255.0
tunnel source G0/0
tunnel destination 2.2.2.2
!
access-list 100 permit gre host 1.1.1.1 host 2.2.2.2
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto map TEST
set peer 2.2.2.2
match address 100
set transform-set TS
!
int G0/0
crypto map TEST

 

Tunnel Protection (IPsec Profile)

 

crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
crypto ipsec profile TEST
set transform-set TS
!
int tunnel 1
ip add 172.16.1.1 255.255.255.0
tunnel source G0/0
tunnel destination 2.2.2.2
tunnel protection ipsec TEST

 

In the old method, an extended ACL must be defined to match which traffic will be encrypted, since we GRE as the encapsulation protocol for all IP packet, traditionally we used an ACL (100 in our scenario) to match the GRE packet sourced from 1.1.1.1 in our case and destined to 2.2.2.2 (in our scenario) because all traffic that goes through the tunnel will encapsulated with the Public IP header defined in the tunnel source and tunnel destination command under the tunnel interface.

Then after setting this ACL, we need the popular crypto map for phase 2 IPsec, under the crypto map, we put in the past mainly the ACL using the set address 100 command and set peer 2.2.2.2 command, and the transform set using the set transform-set command, finally we apply the crypto map on the physical interface.

Now, why moving to Tunnel Protection or IPsec Profile?, simply because when we use IPsec with GRE (GRE over IPsec), there are many DUPLICATION CONFIGURATION.

Now where is this duplication? in the figure notice the following:

1-The set peer 2.2.2.2 command under the crypto map has the same meaning as the tunnel destination 2.2.2.2 command under the tunnel interface.

2-The second duplication is for the ACL, previously using the old method crypto ACL, we need to identify the GRE packet and associate this ACL to crypto map using the match address 100, the ACL + match address 100 have the same meaning as the Tunnel source 1.1.1.1 and Tunnel destination 2.2.2.2 commands.

This is why Tunnel Protection or commonly known IPsec Profile comes for rescue as a new method and replaces the old method crypto map.

you create an IPsec Profile, you associate the transform-net then you apply the IPsec Profile on the Tunnel interface and thats all. There are is no need of ACL or PEER. all these informations are already there in the tunnel interface.

 

 

2 Comments
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents