Re: IPSec over GRE -vs- GRE over IPSec

From: Joe Deleonardo (joe_deleonardo@hotmail.com)
Date: Tue Jul 15 2003 - 15:00:47 GMT-3

• Next message: John Matijevic: "Re: Hotel recommendation for RTP - any suggestions ????"
• Previous message: Jay Hennigan: "Re: Re: Creating Tunnel Interfaces"
• Maybe in reply to: Joe Deleonardo: "IPSec over GRE -vs- GRE over IPSec"
• Next in thread: Joe Deleonardo: "Re: IPSec over GRE -vs- GRE over IPSec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Doesn't that seem like the same thing to you?

First you create a GRE tunnel. Then you create an IPSec Tunnel and run the
IPSec tunnel over the GRE tunnel. I guess what you're saying is run the IPX
traffic over the GRE tunnel in tandem with the IPSec tunnel?

But why bother have the IPSec run over the GRE tunnel at all?

Every example I find has the crypto map bound to the tunnel and the physical
interface. That would seem to indicate that's it's GRE over IPSec.

I would think if you wanted to do IPSec over GRE you'd just bind the crypto
map to the tunnel interface only. I need to go do this in the lab to see if
this is possible.

Unless maybe you wanted to take some load of a core router and have the
IPSec tunnel decrypt on a distribution router. But that still doesn't make
sense, just let the IPSec tunnel through. You're going to have to let the
GRE tunnel through anyway.

Unless there's a situation where there is some advantages with NAT.
Hmmm....

----- Original Message -----
From: "Charles Church" <cchurch@wamnet.com>
To: "Joe Deleonardo" <joe_deleonardo@hotmail.com>;
<cciesecurity@yahoogroups.com>; <ccielab@groupstudy.com>;
<security@groupstudy.com>
Sent: Tuesday, July 15, 2003 10:32 AM
Subject: RE: IPSec over GRE -vs- GRE over IPSec

> I suppose if you had a large amount of IPX traffic that didn't need to be
> encrypted but did need to be tunneled over the IP networks, then IPSec
over
> GRE might make sense. No sense wasting router CPU if you don't need to
> encrypt something.
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
> Wam!Net Government Services
> 13665 Dulles Technology Dr. Ste 250
> Herndon, VA 20171
> Office: 703-480-2569
> Cell: 703-819-3495
> cchurch@wamnet.com
> PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Joe Deleonardo
> Sent: Tuesday, July 15, 2003 1:09 PM
> To: cciesecurity@yahoogroups.com; ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: IPSec over GRE -vs- GRE over IPSec
>
>
> IPSec over GRE -vs- GRE over IPSec.
>
> Alright is this just a play on words or what? GRE over IPSec makes sense,
> it's used to transport non unicast traffic.
>
> But why would you want to do IPSec over GRE. Does anyone have a link to a
> config example? ... if it's something?
>
> Thanks,
>
> Joe
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: John Matijevic: "Re: Hotel recommendation for RTP - any suggestions ????"
• Previous message: Jay Hennigan: "Re: Re: Creating Tunnel Interfaces"
• Maybe in reply to: Joe Deleonardo: "IPSec over GRE -vs- GRE over IPSec"
• Next in thread: Joe Deleonardo: "Re: IPSec over GRE -vs- GRE over IPSec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:40 GMT-3