Cisco Community
English
Register
Congratulate April's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
424
Views
5
Helpful
1
Replies
DaeHeon Kang
Beginner
Beginner
‎12-19-2017 07:41 PM
‎12-19-2017 07:41 PM

How is different between two ways for GRE over IPSec?

How is different between the below ways for GRE over IPSec? and how is the structure of the frame different between the two ways? And also which ways is the recommend way to deploy GRE over IPSec?

 

  • Apply Crypto map to physical interface by using access-list 100 permit gre host [ interface ip address] host [interface ip address]
  • Apply tunnel protection ipsec profile to tunnel interface
Labels:
0 Helpful
1 REPLY 1
Mohammed al Baqari
VIP Advisor VIP Advisor
VIP Advisor
‎12-19-2017 10:33 PM
‎12-19-2017 10:33 PM

Hi,

 

The 1st method is called policy based VPN. You define your interesting traffic using ACL rules to pass through VPN. The 2nd method is called route based VPN. You interesting traffic should be routed over the VPN tunnel.

 

If you look at the traffic selectors (SPD) using show crypto ipsec sa you will see for the 1st method that your SPD is matching your ACLs. For the 2nd method you will see your SPD as 0.0.0.0/0 and the interesting traffic is defined using routing. 

 

This is irrelevant whether your interesting traffic is GRE, TCP, UDP, etc. 

 

Now using Tunnel interface is called VTI method (Virtual Tunnel Interface) an its the preferred method to use when you are configuring VPN between Cisco routers. Crypto maps are the legacy methods and they are preferred for vpn between different vendors for interoperatibility 

Latest Contents
Podcast: Unhackable with Mike Storm - Ep. 1 Unhackable Princ...
Created by greghami on 05-17-2021 02:43 PM
0
0
0
0
In this episode of Unhackable, Mike Storm (@mistorm) with his co-host and producer, Sean discuss the Unhackable Principle: Authentication. This is where they talk about passwords, multi-factor authentication, and what it takes to keep you safe when you ... view more
Episode 59 - Discussions on Cisco DevNet Certifications
Created by Kevin Klous on 05-17-2021 01:03 PM
0
10
0
10
Show Name: Discussions on Cisco DevNet Certifications   Contributors: Kevin Klous, Security Technical Leader, Cisco Nic Conroy, Technical Consulting Engineer, Cisco Prerna Sivadas, Technical Consulting Engineer, Cisco   Posting Date: May 2021 &... view more
Azure AD SSO with multiple ISE Portals
Created by Greg Gibbs on 05-11-2021 04:11 PM
0
5
0
5
Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals). At the time of this writing, ISE cann... view more
ISE BYOD Flow Using Azure AD
Created by Greg Gibbs on 05-10-2021 10:02 PM
0
10
0
10
Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials. The use of Azure AD credentials is an alterna... view more
Cisco + Splunk Integrations Add-on List
Created by Sar on 05-07-2021 12:27 AM
0
5
0
5
The table below shows the whole Cisco Security solutions + Splunk integrations add-ons. Kindly let me know if I have missed some add-ons or if there are any new updates. Thank you!   Hope this will be helpful for everyone who is looking for Splunk in... view more
Content for Community-Ad