Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1747
Views
0
Helpful
3
Replies

ipsec on vlan

Go to solution
mailaglady2
Level 1
Level 1

‎04-26-2012 02:16 AM - edited ‎02-21-2020 06:01 PM

Hi

I have two routers (C887VAG2 & ASR1006) connected point-to-point, I'm trying to configure ipsec but my phase 2 fails and the gre tunnel protocol remains down. I tried the tunnel protection on VTI's and the application of crypto map on the tunnel interface, when I apply the crypo map on tunnel interface I'm getting the below error message

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface. % NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.

I have attached the configs for both routers, there's no intermediate device.

- is it possible to get a document that explains what headers are added on the packet when vlan and ipsec is used?

- explanation of the difference between gre-over-ipsec vs ipsec-over-gre, the process as the packet enters the router gets encrypted then decrypted on the remote side.

Thanks and regards

Mpho

Labels:
126945-ASR1006_IPSec.txt.zip
126929-C887VAG2_IPSec.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
olpeleri
Cisco Employee
Cisco Employee

‎04-26-2012 05:06 AM 

% NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.
% NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.
I have attached the configs for both routers, there's no intermediate device.

Since CSCtj63943 we have disabled this possibility in order to avoid configuring something not supported.

About your 2 questions:

In transport mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp56035

In tunnel mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp58618

Of course GRE over IPSEC need to be setup in transport mode to avoid:

  • Wasting overhead [ saving 20 bytes]
  • NAT compatibility [ Without going into too much details - tunnel mode may not work behind NAT]

Essentially:

GRE over IPSEC

----------------------------------------------------------------------------------------

|IP header|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|GRE header| IP packet      |

-----------------------------------------

IPSEC over GRE [ Supported with GETVPN only]

----------------------------------------------------------------------------------------

|IP header|GRE|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|IP packet                          |

-----------------------------------------

With IPSEC over GRE then you 'leak' some information [ an attacker sees it's a GRE traffic and he could start to try to inject blindy some packets by simply sending some stuff encapsulated into GRE

Let me know if this answer your question.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
olpeleri
Cisco Employee
Cisco Employee

‎04-26-2012 05:06 AM 

% NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.
% NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.
I have attached the configs for both routers, there's no intermediate device.

Since CSCtj63943 we have disabled this possibility in order to avoid configuring something not supported.

About your 2 questions:

In transport mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp56035

In tunnel mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp58618

Of course GRE over IPSEC need to be setup in transport mode to avoid:

  • Wasting overhead [ saving 20 bytes]
  • NAT compatibility [ Without going into too much details - tunnel mode may not work behind NAT]

Essentially:

GRE over IPSEC

----------------------------------------------------------------------------------------

|IP header|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|GRE header| IP packet      |

-----------------------------------------

IPSEC over GRE [ Supported with GETVPN only]

----------------------------------------------------------------------------------------

|IP header|GRE|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|IP packet                          |

-----------------------------------------

With IPSEC over GRE then you 'leak' some information [ an attacker sees it's a GRE traffic and he could start to try to inject blindy some packets by simply sending some stuff encapsulated into GRE

Let me know if this answer your question.

0 Helpful

Go to solution
mailaglady2
Level 1
Level 1
In response to olpeleri

‎04-26-2012 04:43 PM

From a configuration perspective which will determine any of the 2 aforementioned deployment?

For example if I want to use IPSec-over-gre where do I apply my IPSec policy and for gre-over-IPSec where to I apply my IPSec policy?.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
mailaglady2
Level 1
Level 1
In response to olpeleri

‎04-26-2012 04:47 PM

Oh sorry I missed the part where you explicitly mention IPSec-over-gre is supported with getvpn only.

Thanks

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents