RE: GRE Tunnel with IPSec encapsulation!

From: Roth, Joshua (JRoth@spectrumccsi.com)
Date: Tue Mar 18 2003 - 21:21:18 GMT-3

• Next message: Hunt Lee: "RE: EIGRP mystery"
• Previous message: Jason Sinclair: "RE: Do dial peers have only local significance or not?"
• Maybe in reply to: Tasuka Amano Hsu: "GRE Tunnel with IPSec encapsulation!"
• Next in thread: Anthony Pace: "RE: GRE Tunnel with IPSec encapsulation!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

GRE also gives you an interface which will allow you to pass a routing
protocol through your VPN. Without that tunnel interface dynamic routing
won't happen.

-----Original Message-----
From: Brown, Patrick (NSOC-OCF} [mailto:PBrown4@chartercom.com]
Sent: Tuesday, March 18, 2003 3:16 PM
To: Jeongwoo Park; Tasuka Amano Hsu
Cc: ccielab@groupstudy.com
Subject: RE: GRE Tunnel with IPSec encapsulation!

JP,

Tasuka can probably answer what he is trying to accomplish. But my answer
would be, IPSec is providing the encryption, and GRE is providing the
tunneling(encapsulation). Without IPSEC, the GRE data going across the
public internet will be unsecured.
GRE just encaps the packet, making a VPN over the IP network.

Thanks,

Patrick B

-----Original Message-----
From: Jeongwoo Park [mailto:jpark@wams.com]
Sent: Tuesday, March 18, 2003 3:23 PM
To: 'Tasuka Amano Hsu'
Cc: 'ccielab@groupstudy.com'
Subject: RE: GRE Tunnel with IPSec encapsulation!

Just out of curiosity,
Why would you need GRE tunnel outside the ipsec tunnel?

JP

-----Original Message-----
From: Tasuka Amano Hsu [mailto:tasuka@mac.com]
Sent: Monday, March 17, 2003 7:28 PM
To: Brown, Patrick (NSOC-OCF}
Cc: ccielab Groupstudy
Subject: Re: GRE Tunnel with IPSec encapsulation!

Thanks, I think too much about it!
only permit gre trffic is work too.

Best Regards

Tasuka

On Monday, Mar 17, 2003, at 23:38 Asia/Taipei, Brown, Patrick
(NSOC-OCF} wrote:

> You only need the access-list 101 permit gre host <tunnel source> host
> <tunnel destination> on both routers. All traffic traversing the GRE
> tunnel will be encrypted. Set the configuration to TRANSPORT mode on
> your IPSEC transform sets.
> You also have to set the Crypto maps on the GRE interfaces, and the
> egress interface.
>
> Thanks,
>
> Patrick B
> -----Original Message-----
> From: Tasuka Amano Hsu [mailto:tasuka@mac.com]
> Sent: Monday, March 17, 2003 2:30 AM
> To: ccielab Groupstudy
> Subject: GRE Tunnel with IPSec encapsulation!
>
>
> Here is my GRE tunnel over IPSec configuration, and it can work, but
> does I consider too much at access-list ? or use too many command to
> do it ? I am tried the IP-IP tunnel mode and GRE-IP mode is same
> config. If I did not put the crypto map at interface tunnel0, then
> will got an error say the protocol type 47 not encapsulation with
> IPSec. Somebody could share yours ?
>
> The R1 and R2 is connect via Ethernet directly.
>
> Best Regards
>
> Tasuka
>
>
> !
> hostname R1
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key cisco address 172.16.100.174
> !
> !
> crypto ipsec transform-set IPform1 ah-md5-hmac
> crypto ipsec transform-set IPform2 esp-des
> !
> crypto map IPSEC 10 ipsec-isakmp
> set peer 172.16.100.174
> set transform-set IPform2 IPform1
> set pfs group1
> match address 101
> !
> interface Tunnel0
> ip address 172.16.11.1 255.255.255.0
> tunnel source 172.16.100.253
> tunnel destination 172.16.100.174
> tunnel sequence-datagrams
> tunnel checksum
> tunnel path-mtu-discovery
> crypto map IPSEC
> !
> interface Ethernet0
> ip address 172.16.100.253 255.255.255.0
> no ip route-cache
> no ip mroute-cache
> crypto map IPSEC
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 172.16.100.174
> no ip http server
> !
> access-list 101 deny ahp any any
> access-list 101 deny esp any any
> access-list 101 permit gre host 172.16.100.253 host 172.16.100.174
> access-list 101 permit ip host 172.16.100.253 host 172.16.100.174 !
>
> !
> hostname R2
> !
> enable password cisco
> !
> ip subnet-zero
> ip tcp synwait-time 5
> no ip domain-lookup
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key cisco address 172.16.100.253
> !
> !
> crypto ipsec transform-set IPform1 ah-md5-hmac
> crypto ipsec transform-set IPform2 esp-des
> !
> crypto map IPSS 10 ipsec-isakmp
> set peer 172.16.100.253
> set transform-set IPform2 IPform1
> set pfs group1
> match address 101
> !
> interface Tunnel0
> ip address 172.16.11.2 255.255.255.0
> tunnel source 172.16.100.174
> tunnel destination 172.16.100.253
> tunnel sequence-datagrams
> tunnel checksum
> tunnel path-mtu-discovery
> crypto map IPSS
> !
> interface Ethernet0
> ip address 172.16.100.174 255.255.255.0
> no ip route-cache
> no ip mroute-cache
> crypto map IPSS
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 172.16.100.253
> no ip http server
> !
> access-list 101 deny ahp any any
> access-list 101 deny esp any any
> access-list 101 permit gre host 172.16.100.174 host 172.16.100.253
> access-list 101 permit ip host 172.16.100.174 host 172.16.100.253 !

• Next message: Hunt Lee: "RE: EIGRP mystery"
• Previous message: Jason Sinclair: "RE: Do dial peers have only local significance or not?"
• Maybe in reply to: Tasuka Amano Hsu: "GRE Tunnel with IPSec encapsulation!"
• Next in thread: Anthony Pace: "RE: GRE Tunnel with IPSec encapsulation!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:42 GMT-3