1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.


Discussion in 'Network Security' started by HMSPresident, Aug 25, 2009.

  1. HMSPresident

    HMSPresident Bit Poster

    Ok, so when I first had GRE explained to me, I thought I understood it pretty well.. 'point your routing protocol towards the GRE tunnel, and encrypt the GRE tunnel in IPSec' simple..

    The CiscoPress ECG book for ISCW also suggests this, with it's explanation of the resulting headers;

    Tunnel Mode
    || ESP IP hdr || ESP hdr || GRE IP hdr || GRE hdr || IP hdr || TCP header || Data || ESP trailer ||

    What's confusing me now though, is the resulting config when using the SDM.. I ran through the GRE over IPSec wizard fine, but what I don't understand, is why a Crypto Map gets applied to the Tunnel interface, AND the outgoing interface (as in a normal IPSec tunnel)? Annoyingly, the CiscoPress ECG only gives you the screenshots of SDM, and doesn't give you a CLI example!!

    so you have;

    crypto isakmp policy 10
    auth pre-share
    enc 3des
    hash sha
    group 2
    life 86400
    crypto isakmp key Te5Tvpn address
    crypto ipsec transform-set testvpn esp-sha-hmac esp-3des
    mode tunnel
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    desc Tunnel to
    set peer
    set transform-set testvpn
    match address 100
    int tunnel 0
    ip address
    tunnel source Fa0/0
    tunnel destination
    crypto map SDM_CMAP_1
    int fa 0/0
    ip add
    crypto map SDM_CMAP_1
    access-list 100 permit gre host host

    Surely having the CMAP applied twice results in;

    Tunnel Mode
    || ESP IP hdr 2 || ESP hdr 2 || GRE IP hdr || GRE hdr || ESP IP hdr 1 || ESP hdr 1 || IP hdr || TCP header || Data || ESP trailer 1 || ESP trailer 2 ||

    so the traffic gets encrypted with IPSec as it enters the Tunnel interface, then gets wrapped in GRE, then gets encrypted again in IPSec??

    The thing is, i've also tried the same config without applying the CMAP to Tun0, and it still works...

    I can understand using IPSec within GRE (for example, to transport IPX within an internal network) in order to provide decent encryption, but why do that and then encrypt everything again..??

    What would be the correct way to configure this?? I prefer the method of only applying the CMAP to the physical, because you can then include other traffic in the interesting ACL (e.g. stuff that isn't learnt through a routing protocol running over GRE)
    Certifications: See sig..
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    Having the crypto map applied on both the gre tunnel and the physical intreface will not result in packets being encrypted twice. Essentially, up until around 12.2T it was required to apply crypto maps to both the physical and gre tunnel interfaces. It is not required anymore to apply the crypto map to the gre tunnel interface, only the physical. In fact, it is now recommended to apply only to the physical. So your configuration works fine.

    There are a number of tunnel options, I often use ipsec profiles applied to the tunnel interface and no crypto map on the physical interface. Try "tunnel mode ?" to see the tunnel types available.

    Spice Weasel
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
  3. HMSPresident

    HMSPresident Bit Poster

    .. yep, found this document that highlights the change from applying to both Tunnel and Physical, to just Physical..

    I guess SDM does both for "backwards-compatibility", but seeing as the SDM knows what version you're running, you'd think it would know what to do..
    Certifications: See sig..

Share This Page