Re: GRE over IPSEC

prashantvaria9 · ‎01-05-2020

Hello,

I have a very simple query regarding gre over ipsec. I know GRE tunnel stays up up if it has a IP address configured and has a route to destination tunnel. I want to know that if I am running IPsec for encryption on that gre tunnel and in provider's MPLS, UDP 500 is blocked then what will be my tunnel's state?

It will still be up up state and my IPSEC will be broken or it will be up down state? Since IPsec is the transport for GRE and IPSEC fails the negotiation then the tunnel should go down, right? I will also try to lab it up, but need a quick finding about this.

Thank you!

Dinesh Moudgil · ‎01-05-2020

Hi Prashant,

From IOS versions15.4(3)M/15.4(3)S and later, the GRE tunnel line protocol state will follow the IPsec Security Association (SA) state, so the line protocol will remain down until the IPsec session is fully established (i.e. related to your scenario when UDP 500 is blocked)

Ref:
https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE/2_p2pGRE_Phase2.html?referring_site=RE&pos=2&page=https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

prashantvaria9 · ‎01-06-2020

Hello Dinesh,

Thank you for providing the information! Appreciate it.