Solved: To confirm Network is GRE over IPSEC

mahesh18 · ‎01-08-2013

Hi Everyone,

We have Cisco 4500 device having GRE tunnel and next HOP is ASA is doing the IPSEC VPN over WAN.

So this type of Network is called as GRE over IPSEC right ?

Also when i do on 4500 sh int tu0

reliability 255/255, txload 79/255, rxload 121/255

5 minute input rate 2228000 bits/sec, 790 packets/sec

5 minute output rate 780000 bits/sec, 351 packets/sec

Need to understand this shows Data transmitted over GRE tunnel which is not encrypted right ?

To check data transmitted by ipsec ASA which is encrypted we can do sh crypto isakmp sa right ?

Where we apply crypto MAP here on ASA physical interface?

Thanks

Mahesh

Rudy Sanjoko · ‎01-08-2013

If your GRE tunnel has protection applied on it, then I believe those data transmitted are encrypted. GRE over ipsec simply means applying tunnel protection to the gre tunnel otherwise it is just a plain GRE tunnel.

Aside than show crypto isakmp sa, you can also check whether traffic from one site to another is using GRE or not by issuing show crypto ipsec sa, it will show you the protocol number and it should say 47. And if you are using tunnel protection command to define the ipsec to the tunnel, you will not need to define crypto maps anymore.

View solution in original post

ALIAOF_ · ‎01-08-2013

I think here is the setup your are describing:

you have a "Site to Site VPN" IPSec

Then you have a Cisco 4500 on top of it doing a GRE tunnel. So GRE tunnel itself is NOT encrypted. But since looks like your GRE is only happening on the internal network and the two sites are connected via a separate IPSec VPN your GRE is encrypted for the outside world since that traffic is going through the ASA's IPSec but the GRE tunnel itself does not have IPSec protection applied to it, you should have, this is how it looks like with the IPSec encryption. If it is not then you just have a GRE tunnel and internally it is still not encrypted.

crypto isakmp policy 10

authentication pre-share

crypto isakmp key CISCO address 217.218.1.1

!

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac

mode transport

crypto ipsec profile MyProfile

set transform-set MyTransSet

!

interface Tunnel0

ip address 10.254.25.4 255.255.255.254

tunnel source 81.12.50.1

tunnel destination 217.218.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile MyProfile

View solution in original post

ALIAOF_ · ‎01-08-2013

Aight lets try this again, GRE tunnel = Not encrypted unless you have the IPSec profile applied like shown above

But since (I am assuming from what you have explained) your GRE tunnel is only comprised of LAN from Site A, Site B it is protected from the outside world. But on a local LAN it is not encrypted.

View solution in original post

Rudy Sanjoko · ‎01-08-2013

If your GRE tunnel has protection applied on it, then I believe those data transmitted are encrypted. GRE over ipsec simply means applying tunnel protection to the gre tunnel otherwise it is just a plain GRE tunnel.

Aside than show crypto isakmp sa, you can also check whether traffic from one site to another is using GRE or not by issuing show crypto ipsec sa, it will show you the protocol number and it should say 47. And if you are using tunnel protection command to define the ipsec to the tunnel, you will not need to define crypto maps anymore.

mahesh18 · ‎01-08-2013

Hi Rudy,

Thanks for reply.

When you say tunnel protection command so mean to say that command should only be applied on tunnel interface?

currently gre tunnel interface has no tunnel protection command .

so this means that ASA IPSEC is doing encryption with crypto maps?

MAhesh

ALIAOF_ · ‎01-08-2013

I think here is the setup your are describing:

you have a "Site to Site VPN" IPSec

Then you have a Cisco 4500 on top of it doing a GRE tunnel. So GRE tunnel itself is NOT encrypted. But since looks like your GRE is only happening on the internal network and the two sites are connected via a separate IPSec VPN your GRE is encrypted for the outside world since that traffic is going through the ASA's IPSec but the GRE tunnel itself does not have IPSec protection applied to it, you should have, this is how it looks like with the IPSec encryption. If it is not then you just have a GRE tunnel and internally it is still not encrypted.

crypto isakmp policy 10

authentication pre-share

crypto isakmp key CISCO address 217.218.1.1

!

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac

mode transport

crypto ipsec profile MyProfile

set transform-set MyTransSet

!

interface Tunnel0

ip address 10.254.25.4 255.255.255.254

tunnel source 81.12.50.1

tunnel destination 217.218.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile MyProfile

mahesh18 · ‎01-08-2013

Hi Ali,

I checked config on ASA it has crypto statements.

Also sh crypto ipsec sa shows subnets from tunnel source and destination under

local ident

remote ident

So this confirms traffic is encrypted even we do not have tunnel protection command under GRE right ?

Thanks

Mahesh

ALIAOF_ · ‎01-08-2013

Aight lets try this again, GRE tunnel = Not encrypted unless you have the IPSec profile applied like shown above

But since (I am assuming from what you have explained) your GRE tunnel is only comprised of LAN from Site A, Site B it is protected from the outside world. But on a local LAN it is not encrypted.

mahesh18 · ‎01-08-2013

Hi Mohammad,

Many thanks for all your replies.

Now i got the exact answer from you.

Now picture is clear to me.

Best regrads

Mahesh