From: Brian Lodwick (xpranax@xxxxxxxxxxx)
Date: Wed Mar 06 2002 - 10:22:02 GMT-3
I was going to go into a bunch of junk, but it might just be better to say
you can use tunnel or transport mode when using a GRE tunnel in conjunction
with IPSec, but it is recommended you use Transport mode. The reason being
there is no reason to have IPSec add an additional IP header when GRE has
done it.
It would probobaly help to take the time to review how a packet looks after
transport mode and after tunnel mode.
One last thing. No matter if you are using tunnel or transport mode you
always have to add the crypto map to the virtual as well as the physical
interface.
>>>Brian
>From: "A Yigit Zorlu" <alec_cisco@yahoo.com>
>Reply-To: "A Yigit Zorlu" <alec_cisco@yahoo.com>
>To: <ccielab@groupstudy.com>
>Subject: IPSec mode transport
>Date: Wed, 6 Mar 2002 13:13:35 +0200
>
>Hi group,
>
>
>crypto ipsec transform-set VPN esp-des esp-sha-hmac
> mode transport ! (optional - but recommended since your GRE tunnel
>provides tunnelling)
>
>Do I have to put this ? I remember I have made it working a couple of
>scenarios IPSec over Tunnel . I both enabled crypto map in the tunnel
>interface and serial. then it worked.
>
>When do I need this mode transport cmd ?
>
>Regards,
>
>Yigit
>
>
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:54 GMT-3