GRE IN IPSec? or IPSec IN GRE IN IPSec??

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Ok, so when I first had GRE explained to me, I thought I understood it pretty well.. 'point your routing protocol towards the GRE tunnel, and encrypt the GRE tunnel in IPSec' simple..

The CiscoPress ECG book for ISCW also suggests this, with it's explanation of the resulting headers;

Tunnel Mode
|| ESP IP hdr || ESP hdr || GRE IP hdr || GRE hdr || IP hdr || TCP header || Data || ESP trailer ||


What's confusing me now though, is the resulting config when using the SDM.. I ran through the GRE over IPSec wizard fine, but what I don't understand, is why a Crypto Map gets applied to the Tunnel interface, AND the outgoing interface (as in a normal IPSec tunnel)? Annoyingly, the CiscoPress ECG only gives you the screenshots of SDM, and doesn't give you a CLI example!!

so you have;

crypto isakmp policy 10
auth pre-share
enc 3des
hash sha
group 2
life 86400
crypto isakmp key Te5Tvpn address 11.1.1.2
crypto ipsec transform-set testvpn esp-sha-hmac esp-3des
mode tunnel
crypto map SDM_CMAP_1 1 ipsec-isakmp
desc Tunnel to 12.1.1.2
set peer 12.1.1.2
set transform-set testvpn
match address 100
int tunnel 0
ip address 1.1.1.1 255.255.255.252
tunnel source Fa0/0
tunnel destination 12.1.1.2
crypto map SDM_CMAP_1
int fa 0/0
ip add 11.1.1.1 255.255.255.252
crypto map SDM_CMAP_1
access-list 100 permit gre host 11.1.1.2 host 12.1.1.2


Surely having the CMAP applied twice results in;

Tunnel Mode
|| ESP IP hdr 2 || ESP hdr 2 || GRE IP hdr || GRE hdr || ESP IP hdr 1 || ESP hdr 1 || IP hdr || TCP header || Data || ESP trailer 1 || ESP trailer 2 ||


so the traffic gets encrypted with IPSec as it enters the Tunnel interface, then gets wrapped in GRE, then gets encrypted again in IPSec??

The thing is, i've also tried the same config without applying the CMAP to Tun0, and it still works...

I can understand using IPSec within GRE (for example, to transport IPX within an internal network) in order to provide decent encryption, but why do that and then encrypt everything again..??


What would be the correct way to configure this?? I prefer the method of only applying the CMAP to the physical, because you can then include other traffic in the interesting ACL (e.g. stuff that isn't learnt through a routing protocol running over GRE)

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Having the crypto map applied on both the gre tunnel and the physical intreface will not result in packets being encrypted twice. Essentially, up until around 12.2T it was required to apply crypto maps to both the physical and gre tunnel interfaces. It is not required anymore to apply the crypto map to the gre tunnel interface, only the physical. In fact, it is now recommended to apply only to the physical. So your configuration works fine.

There are a number of tunnel options, I often use ipsec profiles applied to the tunnel interface and no crypto map on the physical interface. Try "tunnel mode ?" to see the tunnel types available.

Spice Weasel

 

.. yep, found this document that highlights the change from applying to both Tunnel and Physical, to just Physical..

I guess SDM does both for "backwards-compatibility", but seeing as the SDM knows what version you're running, you'd think it would know what to do..