Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
954
Views
5
Helpful
1
Replies

(GRE over IPSEC) on seperate devices

Go to solution
corycandia
Level 1
Level 1

‎12-30-2016 07:26 AM - edited ‎02-21-2020 09:06 PM

Experts,

I'd like to know if there are risks in doing the IPSEC tunnel for a GRE tunnel on a separate device than the one with the tunnel interface.

Scenario:

You have two sites, each with a single public IP address, and an ASA 5505.  The ASA currently handles your firewall, PAT, AnyConnect clients, and a policy based site-to-site tunnel between the two sites. You want to create a GRE tunnel between the two sites instead of the ASA's policy based one.  We've decided to insert a router behind the firewall for creating the tunnel interface.

We could:

(A) Take down the site-to-site tunnel from the ASAs and port forward the IPSEC traffic (NAT-T) doing GRE over IPSEC between the routers

(B) Leave the site-to-site tunnel between the ASAs, but change it to match GRE traffic and just create the tunnels on the routers with no IPSEC on them.

Either way, the traffic goes across the internet encrypted right?

Would a rule that blocks GRE traffic out of the ASA outside interface prevent any unencrypted GRE traffic from escaping?

Would this work?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎12-30-2016 08:57 AM

Option B is very commonly used when ASA's are configured for IPsec. There is no risk of separating the IPsec and GRE tunnels as far as I am aware.

One advantage of having doing IPsec and GRE on the same router (apart from the number of devices that you would have to manage) is the ability to do an automatic spoke to spoke vpn tunnels with multiple remote sites (using DMVPN). You can achieve the same with the ASA as IPsec head end, but will result in creating individual policies for each tunnel. So if you have more than 2 sites that you want to connect together, think of that option.

If your IPsec policies are correct, the outbound ACL to stop GRE going out un-encrypted is not really necessary. Even if it escapes, it wont get far as they would be private ip addresses in a public cloud, so will be blocked at the provider edge. But you can still configure it as a precaution.

View solution in original post

1 Reply 1

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎12-30-2016 08:57 AM

Option B is very commonly used when ASA's are configured for IPsec. There is no risk of separating the IPsec and GRE tunnels as far as I am aware.

One advantage of having doing IPsec and GRE on the same router (apart from the number of devices that you would have to manage) is the ability to do an automatic spoke to spoke vpn tunnels with multiple remote sites (using DMVPN). You can achieve the same with the ASA as IPsec head end, but will result in creating individual policies for each tunnel. So if you have more than 2 sites that you want to connect together, think of that option.

If your IPsec policies are correct, the outbound ACL to stop GRE going out un-encrypted is not really necessary. Even if it escapes, it wont get far as they would be private ip addresses in a public cloud, so will be blocked at the provider edge. But you can still configure it as a precaution.

Customers Also Viewed These Support Documents