cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
730
Views
0
Helpful
6
Replies

To confirm Network is GRE over IPSEC

mahesh18
Frequent Contributor
Frequent Contributor

                   Hi Everyone,

We have Cisco 4500 device having GRE tunnel and next HOP is ASA is doing the IPSEC VPN over WAN.

So this type of Network is called as GRE over IPSEC  right  ?

Also when i do on 4500 sh int tu0

reliability 255/255, txload 79/255, rxload 121/255

  5 minute input rate 2228000 bits/sec, 790 packets/sec

  5 minute output rate 780000 bits/sec, 351 packets/sec

Need to understand  this shows Data transmitted over GRE tunnel which is not encrypted right ?

To check data transmitted by ipsec ASA  which is encrypted  we can do sh crypto  isakmp sa right ?

Where we apply crypto MAP here on ASA  physical interface?

Thanks

Mahesh

3 Accepted Solutions

Accepted Solutions

Rudy Sanjoko
Enthusiast
Enthusiast

If your GRE tunnel has protection applied on it, then I believe those data transmitted are encrypted. GRE over ipsec simply means applying tunnel protection to the gre tunnel otherwise it is just a plain GRE tunnel.

Aside than show crypto isakmp sa, you can also check whether traffic from one site to another is using GRE or not by issuing show crypto ipsec sa, it will show you the protocol number and it should say 47. And if you are using tunnel protection command to define the ipsec to the tunnel, you will not need to define crypto maps anymore.

View solution in original post

ALIAOF_
Frequent Contributor
Frequent Contributor

I think here is the setup your are describing:

you have a "Site to Site VPN" IPSec

Then you have a Cisco 4500 on top of it doing a GRE tunnel.  So GRE tunnel itself is NOT encrypted.  But since looks like your GRE is only happening on the internal network and the two sites are connected via a separate IPSec VPN your GRE is encrypted for the outside world since that traffic is going through the ASA's IPSec but the GRE tunnel itself does not have IPSec protection applied to it, you should have, this is how it looks like with the IPSec encryption.  If it is not then you just have a GRE tunnel and internally it is still not encrypted.

crypto isakmp policy 10

authentication pre-share

crypto isakmp key CISCO address 217.218.1.1

!

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac

mode transport

crypto ipsec profile MyProfile

set transform-set MyTransSet

!

interface Tunnel0

ip address 10.254.25.4 255.255.255.254

tunnel source 81.12.50.1

tunnel destination 217.218.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile MyProfile

View solution in original post

ALIAOF_
Frequent Contributor
Frequent Contributor

Aight lets try this again, GRE tunnel = Not encrypted unless you have the IPSec profile applied like shown above

But since (I am assuming from what you have explained) your GRE tunnel is only comprised of LAN from Site A, Site B it is protected from the outside world.  But on a local LAN it is not encrypted.

View solution in original post

6 Replies 6

Rudy Sanjoko
Enthusiast
Enthusiast

If your GRE tunnel has protection applied on it, then I believe those data transmitted are encrypted. GRE over ipsec simply means applying tunnel protection to the gre tunnel otherwise it is just a plain GRE tunnel.

Aside than show crypto isakmp sa, you can also check whether traffic from one site to another is using GRE or not by issuing show crypto ipsec sa, it will show you the protocol number and it should say 47. And if you are using tunnel protection command to define the ipsec to the tunnel, you will not need to define crypto maps anymore.

mahesh18
Frequent Contributor
Frequent Contributor

Hi Rudy,

Thanks for reply.

When you say tunnel protection command so mean to say that command should only be applied  on tunnel interface?

currently gre tunnel interface has no tunnel protection command .

so this means that ASA  IPSEC is doing encryption with crypto maps?

MAhesh

ALIAOF_
Frequent Contributor
Frequent Contributor

I think here is the setup your are describing:

you have a "Site to Site VPN" IPSec

Then you have a Cisco 4500 on top of it doing a GRE tunnel.  So GRE tunnel itself is NOT encrypted.  But since looks like your GRE is only happening on the internal network and the two sites are connected via a separate IPSec VPN your GRE is encrypted for the outside world since that traffic is going through the ASA's IPSec but the GRE tunnel itself does not have IPSec protection applied to it, you should have, this is how it looks like with the IPSec encryption.  If it is not then you just have a GRE tunnel and internally it is still not encrypted.

crypto isakmp policy 10

authentication pre-share

crypto isakmp key CISCO address 217.218.1.1

!

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac

mode transport

crypto ipsec profile MyProfile

set transform-set MyTransSet

!

interface Tunnel0

ip address 10.254.25.4 255.255.255.254

tunnel source 81.12.50.1

tunnel destination 217.218.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile MyProfile

mahesh18
Frequent Contributor
Frequent Contributor

Hi Ali,

I checked config on ASA it has crypto statements.

Also sh crypto ipsec sa  shows subnets from tunnel source and destination under

local ident

remote ident

So this confirms traffic is encrypted even we do not have tunnel protection command under GRE right  ?

Thanks

Mahesh

ALIAOF_
Frequent Contributor
Frequent Contributor

Aight lets try this again, GRE tunnel = Not encrypted unless you have the IPSec profile applied like shown above

But since (I am assuming from what you have explained) your GRE tunnel is only comprised of LAN from Site A, Site B it is protected from the outside world.  But on a local LAN it is not encrypted.

mahesh18
Frequent Contributor
Frequent Contributor

Hi Mohammad,

Many thanks for all your replies.

Now  i got the exact answer from you.

Now picture is clear to me.

Best regrads

Mahesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers