Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
4
Replies

GRE OVER IPSEC

prashant dwivedi
Level 1
Level 1

‎07-21-2015 05:27 PM - edited ‎02-21-2020 08:21 PM

Guys,

GRE over ipsec implementation should have transform-set  tunnel or transport mode ?

 

Please advise in both case when there is a NAT device in between and when they are directly connected.

 

 

Thanks,

Prashant

 

Labels:
0 Helpful
4 Replies 4

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-21-2015 08:34 PM

Hi  ,

Basic difference is that tunnel mode protects the IP header by encrypting it and then adding the ESP header along with a new IP header. On the contrary, transport mode uses the same IP header as new header and does not encrypt it with ESP. This helps in saving 20 bytes and this is beneficial when we are considering additional GRE payload.

If the same device is terminating the GRE and IPSec , then you use transport mode.
In case we have one device terminating the GRE and the next device terminating the IPSec, you choose to configure tunnel mode, so that both IP headers are kept intact.

Here is a very good document discussing these modes:-
http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.htm
 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

prashant dwivedi
Level 1
Level 1
In response to Dinesh Moudgil

‎07-21-2015 10:09 PM

you confused me! 

 

just to let you know. same device would be running vpn ( GRE+IPSEC) also known as VTI..

 

here is the topology:--

 

R 1 ( VPN END)---Cisco ASA   ( perfroming 1to 1 nat for R1 tunnel source)--R2 ( other end VPN Device)

 

Both VPN devices having gre+ipsec running ( tunnel 100) , now please tell me if it should be tunnel or transport mode and why?

 

 

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to prashant dwivedi

‎07-21-2015 10:59 PM

Few things to check at your end :-

"same device would be running vpn (GRE+IPSEC) also known as VTI"

GRE + IPSEC is never called VTI. Quoting Cisco documentation :
"Information About IPsec Virtual Tunnel Interface

The use of IPsec VTIs both greatly simplifies the configuration process when you need to provide protection for remote access and provides a simpler alternative to using generic routing encapsulation (GRE) or Layer 2 Tunneling Protocol (L2TP) tunnels for encapsulation and crypto maps with IPsec."

There is inherent difference between their setup and implenentation.
GRE tunnel uses GRE encapsulation over IP protocol  whereas VTI tunnel uses IPSec encapsulation over IP.
GRE : "tunnel mode gre ip"
VTI : "tunnel mode ispec ipv4"

And for VTI deployment, The IPsec transform set must be configured in tunnel mode only. 

As to why this is so, please spare some time and read the documentation:-
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

prashant dwivedi
Level 1
Level 1
In response to Dinesh Moudgil

‎07-22-2015 12:01 AM

I was talking about ( gre ipsec mode) which is also called VTI..may be I confused you...

 

so in VTI-- should we use tunnel or transport mode?

also, what will happen if i leave the tunnel mode to the default value while applying tunnel protection ipsec profile.....?

 

 

 

0 Helpful
Customers Also Viewed These Support Documents