07-21-2015 05:27 PM - edited 02-21-2020 08:21 PM
Guys,
GRE over ipsec implementation should have transform-set tunnel or transport mode ?
Please advise in both case when there is a NAT device in between and when they are directly connected.
Thanks,
Prashant
07-21-2015 08:34 PM
Hi prashant dwivedi ,
Basic difference is that tunnel mode protects the IP header by encrypting it and then adding the ESP header along with a new IP header. On the contrary, transport mode uses the same IP header as new header and does not encrypt it with ESP. This helps in saving 20 bytes and this is beneficial when we are considering additional GRE payload.
If the same device is terminating the GRE and IPSec , then you use transport mode.
In case we have one device terminating the GRE and the next device terminating the IPSec, you choose to configure tunnel mode, so that both IP headers are kept intact.
Here is a very good document discussing these modes:-
http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.htm
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-21-2015 10:09 PM
you confused me!
just to let you know. same device would be running vpn ( GRE+IPSEC) also known as VTI..
here is the topology:--
R 1 ( VPN END)---Cisco ASA ( perfroming 1to 1 nat for R1 tunnel source)--R2 ( other end VPN Device)
Both VPN devices having gre+ipsec running ( tunnel 100) , now please tell me if it should be tunnel or transport mode and why?
07-21-2015 10:59 PM
Few things to check at your end :-
"same device would be running vpn (GRE+IPSEC) also known as VTI"
GRE + IPSEC is never called VTI. Quoting Cisco documentation :
"Information About IPsec Virtual Tunnel Interface
The use of IPsec VTIs both greatly simplifies the configuration process when you need to provide protection for remote access and provides a simpler alternative to using generic routing encapsulation (GRE) or Layer 2 Tunneling Protocol (L2TP) tunnels for encapsulation and crypto maps with IPsec."
There is inherent difference between their setup and implenentation.
GRE tunnel uses GRE encapsulation over IP protocol whereas VTI tunnel uses IPSec encapsulation over IP.
GRE : "tunnel mode gre ip"
VTI : "tunnel mode ispec ipv4"
And for VTI deployment, The IPsec transform set must be configured in tunnel mode only.
As to why this is so, please spare some time and read the documentation:-
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-22-2015 12:01 AM
I was talking about ( gre ipsec mode) which is also called VTI..may be I confused you...
so in VTI-- should we use tunnel or transport mode?
also, what will happen if i leave the tunnel mode to the default value while applying tunnel protection ipsec profile.....?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide