09-15-2022 08:16 PM
Hi ,
I am confused on GRE over IPsec and IPsec over GRE.As my understanding, GRE over IPsec = GRE is inside packet and IPsec is outside packet. IPsec over GRE==> IPsec is inside packet , GRE is outside packet, right ?
My concern is if we applied ipsec profile on GRE tunnel interface , is it IPsec over GRE ? if we applied ipsec profile on interface which is the source of GRE tunnel , is it IPsec over GRE ?
can we deploy both GRE over IPsec and IPsec over GRE on same router which is only one WAN interface ?
How to understand of traffic flow of GRE over IPsec and IPsec over GRE ?
For example , For GRE over IPsec : intrested traffic==> LAN Interface ==> GRE tunnel ==> Add IPsec header ==> send out via WAN interface to remote terminal ?
DMVPN is IPsec over GRE ?
Solved! Go to Solution.
09-20-2022 01:55 AM
@MrBeginner first of all, if you are setting up a VPN between an HP device and a Cisco router are you using a Policy Based VPN or a Route Based VPN?
If using a Policy Based GRE over IPSec VPN you'd configure the crypto map on the physical interface, the GRE tunnel traffic is matched against the crypto ACL and encrypted.
ip access-list extended VPN-ACL
permit gre host 1.1.1.1 host 2.2.2.1
!
crypto map CMAP 1 ipsec-isakmp
set peer 2.2.2.1
set transform-set TSET
set ikev2-profile IKEV2-PROFILE
match address VPN-ACL
!
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
crypto map CMAP
!
interface tunnel 1
ip address 192.168.250.1 255.255.255.252
tunnel source gigabitethernet0/0
tunnel destination 2.2.2.1
keepalive 10 3
If using a Route Based VPN (GRE over IPSec with Tunnel Protection), use a tunnel interface and reference an ipsec profile on the tunnel interface. You don't require a crypto map, all traffic is encapsulated in GRE and routed over the VPN encrypted.
interface tunnel 0
ip unnumbered loopback 0
tunnel source gigabitethernet 0/0
tunnel destination 1.1.1.1
tunnel mode gre ip << this is default and is not displayed in running config.
tunnel protection ipsec profile default
IPSec over GRE is rarely used and unsupported on newer Cisco IOS versions, but you'd assign a crypto map to the GRE interface. On newer software versions it does not allow you to do this.
The recommended deployment, would be the second example - GRE over IPSec with Tunnel Protection or a VTI.
09-16-2022 04:59 AM - edited 09-23-2022 12:28 AM
...
09-18-2022 06:01 PM
Hi ,
Can we deploy IPSEC over GRE and GRE over IPSEC in one router ?
WE have one WAN interface only .
09-19-2022 02:37 AM
@MrBeginner you'd only be able to use IPSec over GRE if you are running a really old IOS version, the configuration is no longer supported.
Why would you want to run IPSec over GRE anyway?
Generally you'd use GRE over IPsec with Tunnel Protection (FlexVPN), Multipoint GRE (DMVPN) or a VTI (FlexVPN).
09-20-2022 01:30 AM
Hi @Rob Ingram
I still confusing Ipsec over GRE and GRE over IPsec depend on configuration. I knew different header type and how to work. i confuse configuration session only. We are using HP device and now we will tunnel to cisco routers. Existing configuration all IPsec profile are apply on physical interface.
So i assume that if we apply ipsec profile on physical interafce ,it is GRE over IPsec, If we apply ipsec profile on tunnel, it is IPsec over GRE . is it not correct ?
DMVPN and VTI are apply ipsec profile under tunnel interface, I don't know why it is GRE over IPsec ?
09-20-2022 01:52 AM
DMVPN and VTI are apply ipsec profile under tunnel interface, I don't know why it is GRE over IPsec ?
add to this you can run DMVPN w/o IPSec!!!
09-20-2022 01:55 AM
@MrBeginner first of all, if you are setting up a VPN between an HP device and a Cisco router are you using a Policy Based VPN or a Route Based VPN?
If using a Policy Based GRE over IPSec VPN you'd configure the crypto map on the physical interface, the GRE tunnel traffic is matched against the crypto ACL and encrypted.
ip access-list extended VPN-ACL
permit gre host 1.1.1.1 host 2.2.2.1
!
crypto map CMAP 1 ipsec-isakmp
set peer 2.2.2.1
set transform-set TSET
set ikev2-profile IKEV2-PROFILE
match address VPN-ACL
!
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
crypto map CMAP
!
interface tunnel 1
ip address 192.168.250.1 255.255.255.252
tunnel source gigabitethernet0/0
tunnel destination 2.2.2.1
keepalive 10 3
If using a Route Based VPN (GRE over IPSec with Tunnel Protection), use a tunnel interface and reference an ipsec profile on the tunnel interface. You don't require a crypto map, all traffic is encapsulated in GRE and routed over the VPN encrypted.
interface tunnel 0
ip unnumbered loopback 0
tunnel source gigabitethernet 0/0
tunnel destination 1.1.1.1
tunnel mode gre ip << this is default and is not displayed in running config.
tunnel protection ipsec profile default
IPSec over GRE is rarely used and unsupported on newer Cisco IOS versions, but you'd assign a crypto map to the GRE interface. On newer software versions it does not allow you to do this.
The recommended deployment, would be the second example - GRE over IPSec with Tunnel Protection or a VTI.
09-20-2022 01:59 AM
I hope finish lab today
09-19-2022 02:54 AM
I will run small lab and share results with you.
09-20-2022 10:26 AM - edited 09-23-2022 12:28 AM
..
09-20-2022 10:41 AM - edited 09-23-2022 12:29 AM
...
09-20-2022 10:49 AM - edited 09-23-2022 12:29 AM
..
09-20-2022 11:35 PM
Hi All ,
Now i know that which is IPsec over GRE/GRE over IPsec.Our current setup is policy base GRE over IPsec.let me know can we deploy both of policy base VPN and route based vpn together in one routers using same outing WAN interface?
09-20-2022 11:49 PM - edited 09-21-2022 02:20 AM
@MrBeginner yes, as long as the crypto ACL defining the interesting traffic for the Policy Based VPN does not match the traffic for the route based VPN. I don't think it's supported or at least not recommended though.
FYI, crypto map (policy based VPN) have been depreciated completely on newer IOS software releases, you should plan to migrate to a route based VPN (DMVPN or FlexVPN).
09-21-2022 06:47 AM
just want to add something here
route-based VPN can and canot be protect, so enable both, so
you can not protect route-based VPN and depend on protect the traffic in policy-based VPN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide