Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1833
Views
3
Helpful
4
Replies

basic GRE IPSec configuration question

Go to solution
uddika kahawatte
Level 1
Level 1

‎12-21-2010 08:22 AM - edited ‎02-21-2020 05:02 PM

CSC.JPG

the below test config was entered to R1 (the left most router). R4 has a similar config with inverse IP addressing. R1 is able to ping R4 loopback at the moment.

crypto isakmp policy 10
encr aes
authentication pre-share
group 2 
lifetime 120
crypto isakmp key cisco address 203.115.34.4
!        
!        
crypto ipsec transform-set MY_TRANSFORM ah-sha-hmac esp-aes
!        
crypto map MY_MAP 10 ipsec-isakmp
set peer 203.115.34.4
set transform-set MY_TRANSFORM
match address 100
!        
!        
!        
!        
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!        
interface Tunnel0
ip address 192.168.14.1 255.255.255.0
tunnel source Serial1/2
tunnel destination 203.115.34.4
crypto map MY_MAP

!

!        
interface Serial1/2
ip address 203.115.12.1 255.255.255.0
serial restart-delay 0
!
!
router eigrp 100
network 192.168.0.0 0.0.255.255
auto-summary
!
router ospf 100
router-id 1.1.1.1
log-adjacency-changes
network 203.115.0.0 0.0.255.255 area 0
!

!

access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 log

!

!

i have seen that cisco sample configurations include an access-list entry as follows...

access-list 100 permit gre host 203.115.12.1 host 203.115.34.4

i would like to understand the purpose of the above ACL with regards to the test configuration i have posted here.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to uddika kahawatte

‎12-22-2010 05:18 AM

Let me explain.

LAN ---- Router --- WAN --- Router --- LAN

The communication between both LANs can be over a GRE tunnel, over an IPsec tunnel or over an IPsec/GRE tunnel.

If you just want to communicate unicast IP traffic between them, the recommendation is IPsec because it will encrypt the traffic.

If you need to pass non-unicast or non-IP traffic then you can create a GRE tunnel.

If you want the IPsec encryption for the GRE tunnel then configure IPsec/GRE.

The ACL that you mention will not work because the GRE traffic is only between the tunnel endpoints.

The traffic that flows between LANs is IP traffic (not GRE traffic) hence a permit GRE ACL won't work.

Hope it helps.

Federico.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎12-21-2010 11:04 AM

Hi,

When you're using pure IPsec for the tunnel, then the interesting traffic should be defined to be IP traffic between the internal subnets.

So you will have an ACL like this:

access-list 101 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 (or wildcard masks)

Assuming 10.1.1.0/24 and 10.2.2.0/24 are the protected networks that communicate through the tunnel.

When you're incorporating GRE and IPsec, then the actual traffic that is going to be protected by IPsec is GRE traffic.

The purpose of using IPsec/GRE is to encapsulate the traffic (multicast or non-IP traffic) in unicast GRE packets and then encrypting the GRE packets using IPsec.

This means that the above ACL is changed to:

access-list 101 permit gre host 1.1.1.1 host 2.2.2.2

Assuming 1.1.1.1 and 2.2.2.2 are tunnel souce and destination IPs.

Hope it helps.


Federico.

Go to solution
uddika kahawatte
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-21-2010 09:57 PM

according to your reply, i understand that the configuration i have posted uses only pure IPSec, with no GRE encapsulation.

(the local networks are 192.168.10.0 and 192.168.40.0 which are only configured for IPSec, and they have learned each other through EIGRP via the Tunnel interface.)

i would like to know if the following command is valid, and if so, what would be the outcome.

will it not be enough to encapsulate all traffic between the 192.168.10 and 192.168.40 networks?

or, does permit gre only apply to the tunnel source and destination IP addresses?

access-list 100 permit gre 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to uddika kahawatte

‎12-22-2010 05:18 AM

Let me explain.

LAN ---- Router --- WAN --- Router --- LAN

The communication between both LANs can be over a GRE tunnel, over an IPsec tunnel or over an IPsec/GRE tunnel.

If you just want to communicate unicast IP traffic between them, the recommendation is IPsec because it will encrypt the traffic.

If you need to pass non-unicast or non-IP traffic then you can create a GRE tunnel.

If you want the IPsec encryption for the GRE tunnel then configure IPsec/GRE.

The ACL that you mention will not work because the GRE traffic is only between the tunnel endpoints.

The traffic that flows between LANs is IP traffic (not GRE traffic) hence a permit GRE ACL won't work.

Hope it helps.

Federico.

0 Helpful

Go to solution
uddika kahawatte
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-23-2010 12:29 AM

thanks for the explanation

cheers..

uddika

0 Helpful
Customers Also Viewed These Support Documents