From: Luan Nguyen (lm_nguyen@xxxxxxxxxxx)
Date: Thu Aug 01 2002 - 00:27:43 GMT-3
the cisco way of implement gre/ipsec is to put the crypto map on both the
gre and the real interface. With this kind of encryption, your access-list
will only need to permit gre. Never tried permit ip with this though, 'cuz
gre is a different protocol 47 i think so i don't think permit ip with
gre/ipsec will work
a packet will get encapsulated with gre header first before ipsec got slap
on...ipsec with gre usually in transport mode.
permit all ip will work with pure ipsec (without the gre tunnel). The gre
tunnel gives you the flexibility of running routing protocol like ospf,
eigrp inside the tunnel...eventhough, you can also run bgp over pure
ipsec...never tried ospf/eigrp though.
hope that help.
From: "Prakash H Somani" <pdsccie@rediffmail.com>
Reply-To: "Prakash H Somani" <pdsccie@rediffmail.com>
To: "Anthony Pace" <anthonypace@fastmail.fm>
CC: ccielab@groupstudy.com
Subject: Re: IPSEC and GRE
Date: 27 Jul 2002 15:00:01 -0000
Hi,
I suggest you go to networkder 2001 and read a presentation given on IPSec
implementation on large enterprises...ITs a good presentation.
regards...Prakash
On Thu, 25 Jul 2002 Anthony Pace wrote :
>To encrypt a GRE tunnel is it best to apply the crypto map to the GRE
>tunnel interface or the real interface(s) the traffic will ultimatly
>traverse. If the answer is both, then do I set up the access-list to
>encrypt all IP or just GRE traffic.
>
>I would think that if you applied the map to the real interface, and
>the ACL matched GRE then it would work.
>
>I would think that if you appplied the map to the GRE, and the ACL
>matched all IP then it would also work.
>
>The examples I have seen put it on both. What is the difference and
>does it matter?
>
>Anthony Pace
>--
> Anthony Pace
> anthonypace@fastmail.fm
>
>--
>http://fastmail.fm - Email service worth paying for. Try it for free.
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:13 GMT-3