+ Reply to Thread
Results 1 to 8 of 8
  1. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #1

    Default gre/ipsec or ipsec/gre

    gre/ipsec applied to the tunnel
    ipsec/gre applied to the interface


    right?

    which one encrypts everything data and routing information ? ipsec/gre?
    and which one encrypts data only and not routing information?

    thanks guys
    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    May 2013
    Location
    Jülich, Germany
    Posts
    63

    Certifications
    ASC,CCNA R&S ,CCDA, CHFI, CEH, CCNA SEC, CCAI, CCNP R&S
    #2
    If you place an acl for gre and add it to crypto map u do gre over ipsec and everything is encrypted

    the other way means only the ipsec defined data is encrypted
    Reply With Quote Quote  

  4. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #3
    why do you apply it to the interface sometimes and sometime to the tunnel? I thought gre/IPsec was when you applied it to the tunnel interface and IPsec/gre is when you applied it to the interface? I understand gre via acl triggers interesting traffic I get that.
    Reply With Quote Quote  

  5. Member
    Join Date
    May 2013
    Location
    Jülich, Germany
    Posts
    63

    Certifications
    ASC,CCNA R&S ,CCDA, CHFI, CEH, CCNA SEC, CCAI, CCNP R&S
    #4
    you apply the ipsec to the outgoing interface to encrypt everything that is in the tunnel.
    gre like every protocoll enncapsule the data and send it over the outgoing interface .

    in the old iosversions you had to apply the crypto map to the tunnel too

    if you send encrypted traffic over the tunnel ( crypto map only on tunnel ) than routinginformation and data not proteced by the map are in plaintext
    Reply With Quote Quote  

  6. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #5
    right. so if you put crypo map on both, then both gre routing information and data are encrypted,
    but
    if crypto map is only on the tunnel, gre routing information is exposed?


    what is transport mode vs tunnel mode? i thought tunnel mode is the preferred way since it is the one that determines whether a tunnel is encrypted entirely?
    Reply With Quote Quote  

  7. Member
    Join Date
    May 2013
    Location
    Jülich, Germany
    Posts
    63

    Certifications
    ASC,CCNA R&S ,CCDA, CHFI, CEH, CCNA SEC, CCAI, CCNP R&S
    #6
    half :P
    192.168.0.0/24
    R1 <- INTERNET -> HQ
    .1 .2
    Tunnel : 192.168.1.0/24


    int tunnel 1
    ip add 192.168.1.1 255.255.255.0
    no shut
    ex
    router eigrp 1
    network 192.168.1.0 // so routing information go through the tunnel
    ex


    Your Crypto Map (R1 would be .... )

    HQ(config)#crypto map maptohq 10 ipsec-isakmp
    HQ(config-crypto-map)# set peer 192.168.0.1
    HQ(config-crypto-map)# match address 100
    HQ(config)#access-list 100 permit gre any any
    HQ(config-if)#crypto map maptohq


    So u dont need any more cryptomap adding cause every gre ( which is our gre-tunnel with the data / routing inside) gets encrypted.

    Transportmode just define that the data is not modified and not encrypted
    Reply With Quote Quote  

  8. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #7
    so you set gre via acl as interesting traffic to trigger the tunnel which carries all data/routing and encrypt it under the interface. but do you use transport mode vs tunnel mode? you use tunnel mode command ?
    Last edited by itdaddy; 08-30-2016 at 02:22 PM.
    Reply With Quote Quote  

  9. Member
    Join Date
    May 2011
    Location
    Pittsburgh, Pa
    Posts
    75

    Certifications
    CCNA:R&S/S, CCNP:R&S, Security+, Palo Alto ACE v7.0
    #8
    Just curious are you trying to setup a DMVPN which is a gre tunnel which could have ipsec encryption placed on it or not.. as its not "required" for the tunnels to come up and pass data.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks