From: Tim O'Brien (tobrien@xxxxxxxxxxxx)
Date: Fri May 17 2002 - 08:16:46 GMT-3
That is correct. I would use access-lists that match the traffic I wanted to
encrypt and then shoot it through the tunnel. If it was traffic that I did
not care about encrypting, then it could just pass without any manipulation.
My main problem is that the customer has an 806 and wants 3DES... :) So I
was trying to reduce the crypto traffic to the necessary minimum so as not
to crush the router and add unnecessary lag due to CPU utilization.
Tim
CCIE 9015
-----Original Message-----
From: Carlos G Mendioroz [mailto:tron@huapi.ba.ar]
Sent: Friday, May 17, 2002 7:10 AM
To: Dan.Thorson@seagate.com
Cc: tobrien@cinci.rr.com; Groupstudy ccielab list; elpingu; Paul
Subject: Re: Ipsec over gre tunnel
We are going kind of cryptic here... :-)
May I clarify some things so we (I) can know what are we talking about ?
We have basically smth like:
NetA --- RtrA --- public network --- RtrB --- NetB
and we want to secure NetA-NetB traffic. (and we could have more
networks, etc...)
A tunnel from RtrA to RtrB (e.g. GRE tunnel) would encapsulate said
traffic so
the public network does not mess with the routing.
An IpSec tunnel would also do that but could provide some added security
features like privacy, authenticity, non-repudiation or repudiation and
integrity.
But it is ALSO a tunnel. One thing though, is that it expects IP
traffic.
(hey, its IP sec :-)
So if traffic between NetA and NetB is IPX, then we can tunnel it into
a GRE tunnel, and then tunnel it into an IPsec tunnel.
What I don't understand is why would someone want to define an IPsec
"inside" a GRE tunnel. That is, make a GRE tunnel between RtrA and RtrB
and then define an IPsec tunnel inside it.
Well, only reason I see (appart from lab requirement) is that we want
to tunnel ALL traffic and secure only SOME (via crypto map). Is that it
?
Dan.Thorson@seagate.com wrote:
>
> Tim said:
>
> > So, is it better to encrypt the GRE traffic (encrypt the tunnel itself)
> or
> > is it better to specify the traffic, encrypt it, and then send it
through
> > the GRE tunnel?
>
> Well, I know how to do the 1st, but don't know how to do the 2nd! <grin>
>
> Your 2nd option (is it possible?) would require separately encrypting the
> IP & IPX traffic flows prior to encapsulating them, which seems more
> cpu-intensive. Again, I don't know how I'd do it...
>
> danT
-- Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:59 GMT-3