From: Erhan Kurt (kurt@xxxxxxxxxxxxxxx)
Date: Fri May 17 2002 - 08:56:55 GMT-3
Thanks Carlos.
In brief, unless said, you don't need any tunnel interface in IPSec.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secu
r_c/scprt4/scdipsec.htm
"In simple terms, IPSec provides secure tunnels between two peers, such as
two routers. You define which packets are considered sensitive and should be
sent through these secure tunnels, and you define the parameters which
should be used to protect these sensitive packets, by specifying
characteristics of these tunnels. Then, when the IPSec peer sees such a
sensitive packet, it sets up the appropriate secure tunnel and sends the
packet through the tunnel to the remote peer."
For example scenario: http://www.fatkid.com/html/393_ipsec.html
Never Give Up,
Erhan
-----Original Message-----
From: Carlos G Mendioroz [mailto:tron@huapi.ba.ar]
Sent: 17 May}s 2002 Cuma 14:10
To: Dan.Thorson@seagate.com
Cc: tobrien@cinci.rr.com; Groupstudy ccielab list; elpingu; Paul
Subject: Re: Ipsec over gre tunnel
We are going kind of cryptic here... :-)
May I clarify some things so we (I) can know what are we talking about ?
We have basically smth like:
NetA --- RtrA --- public network --- RtrB --- NetB
and we want to secure NetA-NetB traffic. (and we could have more
networks, etc...)
A tunnel from RtrA to RtrB (e.g. GRE tunnel) would encapsulate said
traffic so
the public network does not mess with the routing.
An IpSec tunnel would also do that but could provide some added security
features like privacy, authenticity, non-repudiation or repudiation and
integrity.
But it is ALSO a tunnel. One thing though, is that it expects IP
traffic.
(hey, its IP sec :-)
So if traffic between NetA and NetB is IPX, then we can tunnel it into
a GRE tunnel, and then tunnel it into an IPsec tunnel.
What I don't understand is why would someone want to define an IPsec
"inside" a GRE tunnel. That is, make a GRE tunnel between RtrA and RtrB
and then define an IPsec tunnel inside it.
Well, only reason I see (appart from lab requirement) is that we want
to tunnel ALL traffic and secure only SOME (via crypto map). Is that it
?
Dan.Thorson@seagate.com wrote:
>
> Tim said:
>
> > So, is it better to encrypt the GRE traffic (encrypt the tunnel itself)
> or
> > is it better to specify the traffic, encrypt it, and then send it
through
> > the GRE tunnel?
>
> Well, I know how to do the 1st, but don't know how to do the 2nd! <grin>
>
> Your 2nd option (is it possible?) would require separately encrypting the
> IP & IPX traffic flows prior to encapsulating them, which seems more
> cpu-intensive. Again, I don't know how I'd do it...
>
> danT
-- Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:59 GMT-3