cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1210
Views
0
Helpful
3
Replies

ipsec on vlan

mailaglady2
Beginner
Beginner

Hi

I have two routers (C887VAG2 & ASR1006) connected point-to-point, I'm trying to configure ipsec but my phase 2 fails and the gre tunnel protocol remains down. I tried the tunnel protection on VTI's and the application of crypto map on the tunnel interface, when I apply the crypo map on tunnel interface I'm getting the below error message

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface. % NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.

I have attached the configs for both routers, there's no intermediate device.

- is it possible to get a document that explains what headers are added on the packet when vlan and ipsec is used?

- explanation of the difference between gre-over-ipsec vs ipsec-over-gre, the process as the packet enters the router gets encrypted then decrypted on the remote side.

Thanks and regards

Mpho

1 Accepted Solution

Accepted Solutions

olpeleri
Cisco Employee
Cisco Employee

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

% NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.

I have attached the configs for both routers, there's no intermediate device.

Since CSCtj63943 we have disabled this possibility in order to avoid configuring something not supported.

About your 2 questions:

In transport mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp56035

In tunnel mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp58618

Of course GRE over IPSEC need to be setup in transport mode to avoid:

  • Wasting overhead [ saving 20 bytes]
  • NAT compatibility [ Without going into too much details - tunnel mode may not work behind NAT]

Essentially:

GRE over IPSEC

----------------------------------------------------------------------------------------

|IP header|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|GRE header| IP packet      |

-----------------------------------------

IPSEC over GRE [ Supported with GETVPN only]

----------------------------------------------------------------------------------------

|IP header|GRE|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|IP packet                          |

-----------------------------------------

With IPSEC over GRE then you 'leak' some information [ an attacker sees it's a GRE traffic and he could start to try to inject blindy some packets by simply sending some stuff encapsulated into GRE

Let me know if this answer your question.

View solution in original post

3 Replies 3

olpeleri
Cisco Employee
Cisco Employee

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

% NOTE: crypto map is configured on tunnel interface.
        Currently only GDOI crypto map is supported on tunnel interface.

I have attached the configs for both routers, there's no intermediate device.

Since CSCtj63943 we have disabled this possibility in order to avoid configuring something not supported.

About your 2 questions:

In transport mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp56035

In tunnel mode

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/IPSecQoS.html#wp58618

Of course GRE over IPSEC need to be setup in transport mode to avoid:

  • Wasting overhead [ saving 20 bytes]
  • NAT compatibility [ Without going into too much details - tunnel mode may not work behind NAT]

Essentially:

GRE over IPSEC

----------------------------------------------------------------------------------------

|IP header|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|GRE header| IP packet      |

-----------------------------------------

IPSEC over GRE [ Supported with GETVPN only]

----------------------------------------------------------------------------------------

|IP header|GRE|IPSEC Header| Encrypted PAYLOAD| ESP Trailer|

-----------------------------------------------------------------------------------------

Where  Encrypted Payload contains:

-----------------------------------------

|IP packet                          |

-----------------------------------------

With IPSEC over GRE then you 'leak' some information [ an attacker sees it's a GRE traffic and he could start to try to inject blindy some packets by simply sending some stuff encapsulated into GRE

Let me know if this answer your question.

From a configuration perspective which will determine any of the 2 aforementioned deployment?

For example if I want to use IPSec-over-gre where do I apply my IPSec policy and for gre-over-IPSec where to I apply my IPSec policy?.

Sent from Cisco Technical Support iPad App

Oh sorry I missed the part where you explicitly mention IPSec-over-gre is supported with getvpn only.

Thanks

Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: