Re: IPSec in GRE

bubblegumnex · ‎04-06-2010

Alright, I've been banging my head against the wall trying to figure this out.

When configuring the IPsec ISAKMP peers, why do I need to use the ip addresses the peers physical interface instead of the IP address of the peer GRE tunnel?

For example:

crypto isakmp policy 10

authentication pre-share

crypto isakmp key CISCO address 217.218.1.1

!

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac

mode transport

crypto ipsec profile MyProfile

set transform-set MyTransSet

!

interface Tunnel0

ip address 10.254.25.4 255.255.255.254

tunnel source 81.12.50.1

tunnel destination 217.218.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile MyProfile

For the ISAKMP peer, I'm using the physical interface address of the destination router. Why?

Huge thanks in advance.

Jennifer Halim · ‎04-06-2010

Tunnel interface is virtual interface, and IPSec is on top of the GRE tunnel, ie: GRE tunnel is encapsulated inside the IPSec tunnel, therefore you would need to set the physical ip address as the peer address.

Leo Laohoo · ‎04-06-2010

It boils down to the age-old question: Which comes first, the chicken or the egg?

In IPSec using VTI the three phases of IPsec comes first. Once they've agreed on the security principle, the tunnel follows next followed by your routing protocols. Once these are agreed then data traffic starts to traverse the network.

Does this help?

bubblegumnex · ‎04-06-2010

A little. Because when set through the tunnel via transport mode, the payload down't have an IPSec IP header ( atleast I think so. I'll have to check my notes) and just the payload is encrypted down the GRE tunnel. I'm also assuming that it's the crypto ACL that defines which interesting traffic is encrypted through IPsec and thus the GRE tunnel.