Solved: I also just this morning read

cwkronk1982 · ‎04-19-2017

So I'm working on my CCNP project and one portion is to do IPSEC over GRE. After working on this for about an hour and a half we figured out that the GDOI error that was popping up was as a result of having ios 15.2 installed and Crypto maps not being supported on a tunnel interface. What we were reading as replacements were confusing. Several different options were GDOI with PKI, GETVPN, DMVPN, SVTI, etc... We don't need anything complicated. What is the easiest, most direct replacement for PSEC over GRE on ios 15.2? SVTI looked promising, but I'd prefer not to spend another hour and a half or more chasing the wrong protocol.

Richard Burts · ‎04-20-2017

To be precise about terminology you can not do IPsec over GRE with tunnel protection. A tunnel interface with tunnel protection is VTI and does not do GRE (and does not use a crypto map). A GRE tunnel with IPsec does not have tunnel protection (and does use a crypto map).

Yes VTI is for transporting IP protocol traffic. What other protocols are you interested in carrying over this tunnel? If you do really have a need to carry non IP traffic over the tunnel then you do need GRE with IPsec and not VTI.

Cisco's rationalization for introducing VTI was that the VAST majority of traffic transported over encrypted tunnels is IP traffic and using VTI simplifies the configuration. So there is a bit of a trade off. You accept the restriction of not transporting non IP protocols and you get the advantages of no crypto map, no access list to identify traffic to be encrypted, and a few other things.

I have used both approaches in configuring encrypted tunnels for customers. If you don't have specific need for GRE then you are generally better off to use VTI. There are a few circumstances where you do need the capabilities of GRE (perhaps you need to transport DECnet or IPX or some other protocol, or perhaps you need to encrypt some of the traffic through the tunnel but not encrypt other traffic, or some reason like that) and in those situation you do need GRE with IPsec and not VTI.

HTH

Rick

HTH

Rick

View solution in original post

Philip D'Ath · ‎04-20-2017

VTI

cwkronk1982 · ‎04-20-2017

I also just this morning read an article about IPSEC over GRE with tunnel protected mode where you don't have to use crypto maps.

Will this work on 15.2? If so, would that make it better than IPSEC with VTIs as apparently with a VTI you can't carry other protocols over it like you can with a GRE tunnel?

If the IPSEC over GRE with tunnel protected mode doesn't work and you're forced to use VTIs which won't carry other protocols, what was Cisco's rationalization behind this?

Richard Burts · ‎04-20-2017

To be precise about terminology you can not do IPsec over GRE with tunnel protection. A tunnel interface with tunnel protection is VTI and does not do GRE (and does not use a crypto map). A GRE tunnel with IPsec does not have tunnel protection (and does use a crypto map).

Yes VTI is for transporting IP protocol traffic. What other protocols are you interested in carrying over this tunnel? If you do really have a need to carry non IP traffic over the tunnel then you do need GRE with IPsec and not VTI.

Cisco's rationalization for introducing VTI was that the VAST majority of traffic transported over encrypted tunnels is IP traffic and using VTI simplifies the configuration. So there is a bit of a trade off. You accept the restriction of not transporting non IP protocols and you get the advantages of no crypto map, no access list to identify traffic to be encrypted, and a few other things.

I have used both approaches in configuring encrypted tunnels for customers. If you don't have specific need for GRE then you are generally better off to use VTI. There are a few circumstances where you do need the capabilities of GRE (perhaps you need to transport DECnet or IPX or some other protocol, or perhaps you need to encrypt some of the traffic through the tunnel but not encrypt other traffic, or some reason like that) and in those situation you do need GRE with IPsec and not VTI.

HTH

Rick

HTH

Rick

cwkronk1982 · ‎04-20-2017

To be precise about terminology you can not do IPsec over GRE with tunnel protection. A tunnel interface with tunnel protection is VTI and does not do GRE (and does not use a crypto map). A GRE tunnel with IPsec does not have tunnel protection (and does use a crypto map).

If I can't do IPSEC over GRE with tunnel protection, then what it this?

https://learningnetwork.cisco.com/docs/DOC-2457
"What we are trying to cover in this text is IPsec over GRE tunnels (as a transport not tunneled) you can also call it GRE over IPsec, or Routed base tunnels versus Policy based tunnel, all lead to the same thing: encrypting your data with IPsec while GRE is your logical interface to route or do fancy stuff like multicast!

In this example, There’s no need to define Crypto-map (Policy based tunnels are not cool) as long as IPsec is defined inside the tunnel interface using "tunnel protection" command. (Routed based tunnel)"

Of course, I could be reading this wrong and the article could just be completely confusing since it says IPsec over GRE also called GRE over IPsec. Which one is being shown in that article?

And that's where it get confusing. I understand the difference between IPsec over GRE with encrypted IPsec packets being carried across a GRE tunnel and GRE over IPsec where a GRE tunnel has it's information encrypted over an IPsec connection. How do you know what a person is talking about when they use it both ways? From what I understood is that IPSEC over GRE is the most common way to do things.

I think we're going to try the VTI approach as it does make sense and after looking at configs, it does seem much easier.

IPSEC over GRE ios 15.2