Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
4
Replies

IPsec with GRE question

mjia
Level 1
Level 1

‎07-06-2003 02:11 PM - edited ‎02-21-2020 12:39 PM

Hi,

Anyone has good reference doc about GRE with IPsec .

I am a little confused about 2 flavors of crypto ACL used:

A) permit ip <source-net> <destination-net>

B) permit gre any any

It seems option A is encry first then GRE encap, while option B is encap first then encrypt.

Is there a good ref about these setups?

Thanks

Michael

Labels:
0 Helpful
4 Replies 4

mherald
Level 1
Level 1

‎07-07-2003 11:55 AM

I am unsure about any good references. I guess it all depends on what you want to do. It also depends on if you are running a GRE tunnel (which is optional) as well.

Option A would encrypt all traffic matching the ACL. Option B, would encrypt all tunnel traffic leaving that interface.

It all depends on what you want to accomplish. I ended up going with option B as we had a large amount of tunnels and it was just easier for me to see.

I can tell you, about the most important thing you can do for VPN router to router access is to get loopbacks on the router(s) in question.

Mike

0 Helpful

reswaran
Cisco Employee
Cisco Employee

‎07-08-2003 08:11 AM

Hi,

Cisco SDM might help you. Its a UI device manager which comes with access routers and help you in setting up your VPN network with ease.

Please take a look at http://www.cisco.com/go/SDM

Regards,

Ravikumar

0 Helpful

mnaveen
Level 1
Level 1

‎07-09-2003 02:35 AM

Hi Macheal,

As you understand, there are 2 ways to use IPSec with GRE. One GRE inside IPSec (this is the most oftenly used) and IPSec inside GRE. Your option A is the case of IPSec inside GRE and option B is the case of GRE inside IPSec.

You would require GRE inside IPSec when you want to non-IP packets or multicast packets to be encrypted and sent over a tunnel. This is because IPSec can encrypt only unicast traffic. For eg: A routing protocol like RIP uses multicast for communicating with RIP enabled routers. In this case, the multicast traffic is first encapsulated with GRE(which will turn the multicast packet to unicast packet by changing the source and destination address as the tunnel source and destination address) and then IPSec is applied on it.

The necessary rule of thumb is:

-------------------------------------------

For GRE inside IPSec tunnel, use only GRE as the protocol and the GRE tunnel end points as the traffic source and destination in the crypto ACL.

For IPSec inside GRE tunnel, use only IP as the protocol and only hosts as the traffic source and destination in your crypto ACL.

Hope that is clear. Let me know if you have more questions.

Naveen.

mnaveen@cisco.com

0 Helpful
Customers Also Viewed These Support Documents