From: Joe Deleonardo (jdeleonardo@cox.net)
Date: Tue Jul 15 2003 - 21:54:48 GMT-3
I agree. Adding a GRE tunnel adds additional over head. You can send
unicast routing updates. But that solution looks at Voice and Video. I'm
not up on design issues for voice and video, so I can't comment on that
aspect.
This example is still GRE over IPSec, not IPSec over GRE. The only
difference in this example that the IPSec tunnel is in transport mode.
Transport mode is more efficient than tunnel mode. Transport mode is a mode
usually established between two hosts, but it can be established between two
security gateways. With transport mode however the IP header is not
encrypted. You can't determine the contents of the packets but a traffic
analysis can be performed. So I guess the question would be a case by case
question. How important is it that traffic analysis not be performed?
The original question is still there. Is there any reason to run IPSec over
GRE. Or is there no such thing? It seems so far that the two phrases have
just been used interchangeably? Even by Cisco. I re-read their SAFE paper
today and they use IPSec over GRE and then at the bottom have examples for
GRE over IPSec.
----- Original Message -----
From: "Szabo, Vilmos" <VS183600@exchange.UnitedKingdom.NCR.COM>
To: "'Joe Deleonardo'" <jdeleonardo@cox.net>;
<cciesecurity@yahoogroups.com>; <ccielab@groupstudy.com>;
<security@groupstudy.com>
Sent: Tuesday, July 15, 2003 3:34 PM
Subject: RE: IPSec over GRE -vs- GRE over IPSec
> Joe,
>
> One scenario for IPSec over GRE is 'IPSec Virtual Private Network
Resilience
> Solutions' see the link:
>
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns241/netbr09186a0080185
> 726.html
>
> ... but I would argue with the author on this solution because it requires
> two GRE tunnels + two IPSec tunnels between Remote and Central side.
>
> In my opinion it is more simple and flexible to configure single IPSec
> tunnel so that its SRC and DST are terminated on Loopback interfaces on
> Remote and Central site routers and a Dynamic Routing protocol gives the
> resilency for IPSec tunnel.
>
> Let me know your opinion!
>
> Regards,
>
> Vilmos
>
> -----Original Message-----
> From: Joe Deleonardo [mailto:jdeleonardo@cox.net]
> Sent: 15 July 2003 19:38
> To: cciesecurity@yahoogroups.com; ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: Re: IPSec over GRE -vs- GRE over IPSec
>
>
> About the only reason I can think of is if you had a requirement to use ah
> and
> you weren't allowed to do NAT before IPSec and NAT Transparency is not an
> option.
> ----- Original Message -----
> From: Joe Deleonardo
> To: cciesecurity@yahoogroups.com ; ccielab@groupstudy.com ;
> security@groupstudy.com
> Sent: Tuesday, July 15, 2003 10:08 AM
> Subject: IPSec over GRE -vs- GRE over IPSec
>
>
> IPSec over GRE -vs- GRE over IPSec.
>
> Alright is this just a play on words or what? GRE over IPSec makes
sense,
> it's used to transport non unicast traffic.
>
> But why would you want to do IPSec over GRE. Does anyone have a link to
a
> config example? ... if it's something?
>
> Thanks,
>
> Joe
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:40 GMT-3