RE: GRE Tunnel with IPSec encapsulation!

From: Brown, Patrick (NSOC-OCF} (PBrown4@chartercom.com)
Date: Thu Mar 20 2003 - 16:04:55 GMT-3

• Next message: Erling Bjontegard: "NAT?"
• Previous message: Anthony Pace: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe in reply to: Tasuka Amano Hsu: "GRE Tunnel with IPSec encapsulation!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I would not recommend using tunnel-key as any means of security.
- It does not secure the data in the GRE packet traversing the net.
- It carries this key inside the GRE data that is not encrypted.
Basically it just like a password that will let you establish tunnel
adjacencies.
But, it's better that nothing!

Tx,

Patrick B
-----Original Message-----
From: Anthony Pace [mailto:anthonypace@fastmail.fm]
Sent: Thursday, March 20, 2003 12:40 PM
To: Roth, Joshua; Brown, Patrick (NSOC-OCF}; Jeongwoo Park; Tasuka Amano
Hsu
Cc: ccielab@groupstudy.com
Subject: RE: GRE Tunnel with IPSec encapsulation!

Another reason to use GRE is if you need to bypass parts of your
archetecture at layer3 and connect routers 1 and 3 without "hopping" to
Router 2. Maybe duplicate addresses exist there, Maybe you don't want
Layer3 connectivity to any thing connected to Router 2. It is also
possible to secure the GRE without using IPSEC. Ist's a one-line "tunnel
key"

IPSEC without the GRE is only for directed traffic such as a clients
"data". The GRE is considered an interface where BCAST and MCAST can go
form router to router.

Anthony Pace CCIE10349

On Tue, 18 Mar 2003 16:21:18 -0800, "Roth, Joshua"
<JRoth@spectrumccsi.com> said:
> GRE also gives you an interface which will allow you to pass a routing
> protocol through your VPN. Without that tunnel interface dynamic routing
> won't happen.
>
>
> -----Original Message-----
> From: Brown, Patrick (NSOC-OCF} [mailto:PBrown4@chartercom.com]
> Sent: Tuesday, March 18, 2003 3:16 PM
> To: Jeongwoo Park; Tasuka Amano Hsu
> Cc: ccielab@groupstudy.com
> Subject: RE: GRE Tunnel with IPSec encapsulation!
>
> JP,
>
> Tasuka can probably answer what he is trying to accomplish. But my answer
> would be, IPSec is providing the encryption, and GRE is providing the
> tunneling(encapsulation). Without IPSEC, the GRE data going across the
> public internet will be unsecured.
> GRE just encaps the packet, making a VPN over the IP network.
>
> Thanks,
>
> Patrick B
>
> -----Original Message-----
> From: Jeongwoo Park [mailto:jpark@wams.com]
> Sent: Tuesday, March 18, 2003 3:23 PM
> To: 'Tasuka Amano Hsu'
> Cc: 'ccielab@groupstudy.com'
> Subject: RE: GRE Tunnel with IPSec encapsulation!
>
>
> Just out of curiosity,
> Why would you need GRE tunnel outside the ipsec tunnel?
>
> JP
>
> -----Original Message-----
> From: Tasuka Amano Hsu [mailto:tasuka@mac.com]
> Sent: Monday, March 17, 2003 7:28 PM
> To: Brown, Patrick (NSOC-OCF}
> Cc: ccielab Groupstudy
> Subject: Re: GRE Tunnel with IPSec encapsulation!
>
>
> Thanks, I think too much about it!
> only permit gre trffic is work too.
>
> Best Regards
>
> Tasuka
>
> On Monday, Mar 17, 2003, at 23:38 Asia/Taipei, Brown, Patrick
> (NSOC-OCF} wrote:
>
> > You only need the access-list 101 permit gre host <tunnel source> host
> > <tunnel destination> on both routers. All traffic traversing the GRE
> > tunnel will be encrypted. Set the configuration to TRANSPORT mode on
> > your IPSEC transform sets.
> > You also have to set the Crypto maps on the GRE interfaces, and the
> > egress interface.
> >
> > Thanks,
> >
> > Patrick B
> > -----Original Message-----
> > From: Tasuka Amano Hsu [mailto:tasuka@mac.com]
> > Sent: Monday, March 17, 2003 2:30 AM
> > To: ccielab Groupstudy
> > Subject: GRE Tunnel with IPSec encapsulation!
> >
> >
> > Here is my GRE tunnel over IPSec configuration, and it can work, but
> > does I consider too much at access-list ? or use too many command to
> > do it ? I am tried the IP-IP tunnel mode and GRE-IP mode is same
> > config. If I did not put the crypto map at interface tunnel0, then
> > will got an error say the protocol type 47 not encapsulation with
> > IPSec. Somebody could share yours ?
> >
> > The R1 and R2 is connect via Ethernet directly.
> >
> > Best Regards
> >
> > Tasuka
> >
> >
> > !
> > hostname R1
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > group 2
> > lifetime 3600
> > crypto isakmp key cisco address 172.16.100.174
> > !
> > !
> > crypto ipsec transform-set IPform1 ah-md5-hmac
> > crypto ipsec transform-set IPform2 esp-des
> > !
> > crypto map IPSEC 10 ipsec-isakmp
> > set peer 172.16.100.174
> > set transform-set IPform2 IPform1
> > set pfs group1
> > match address 101
> > !
> > interface Tunnel0
> > ip address 172.16.11.1 255.255.255.0
> > tunnel source 172.16.100.253
> > tunnel destination 172.16.100.174
> > tunnel sequence-datagrams
> > tunnel checksum
> > tunnel path-mtu-discovery
> > crypto map IPSEC
> > !
> > interface Ethernet0
> > ip address 172.16.100.253 255.255.255.0
> > no ip route-cache
> > no ip mroute-cache
> > crypto map IPSEC
> > !
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 172.16.100.174
> > no ip http server
> > !
> > access-list 101 deny ahp any any
> > access-list 101 deny esp any any
> > access-list 101 permit gre host 172.16.100.253 host 172.16.100.174
> > access-list 101 permit ip host 172.16.100.253 host 172.16.100.174 !
> >
> > !
> > hostname R2
> > !
> > enable password cisco
> > !
> > ip subnet-zero
> > ip tcp synwait-time 5
> > no ip domain-lookup
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > group 2
> > lifetime 3600
> > crypto isakmp key cisco address 172.16.100.253
> > !
> > !
> > crypto ipsec transform-set IPform1 ah-md5-hmac
> > crypto ipsec transform-set IPform2 esp-des
> > !
> > crypto map IPSS 10 ipsec-isakmp
> > set peer 172.16.100.253
> > set transform-set IPform2 IPform1
> > set pfs group1
> > match address 101
> > !
> > interface Tunnel0
> > ip address 172.16.11.2 255.255.255.0
> > tunnel source 172.16.100.174
> > tunnel destination 172.16.100.253
> > tunnel sequence-datagrams
> > tunnel checksum
> > tunnel path-mtu-discovery
> > crypto map IPSS
> > !
> > interface Ethernet0
> > ip address 172.16.100.174 255.255.255.0
> > no ip route-cache
> > no ip mroute-cache
> > crypto map IPSS
> > !
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 172.16.100.253
> > no ip http server
> > !
> > access-list 101 deny ahp any any
> > access-list 101 deny esp any any
> > access-list 101 permit gre host 172.16.100.174 host 172.16.100.253
> > access-list 101 permit ip host 172.16.100.174 host 172.16.100.253 !
>

-- 
  Anthony Pace
  anthonypace@fastmail.fm
-- 
http://www.fastmail.fm - The way an email service should be

• Next message: Erling Bjontegard: "NAT?"
• Previous message: Anthony Pace: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe in reply to: Tasuka Amano Hsu: "GRE Tunnel with IPSec encapsulation!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:42 GMT-3