From: Dana J. Dawson (djdawso@qwest.com)
Date: Wed Jul 16 2003 - 13:11:59 GMT-3
The scenario I encountered where this would be useful involved a remote site
with VPN connectivity to the main site across the Internet. However, for
administrative reasons, the customer wanted the remote site's Internet access to
use the main site rather than directly. Also, they had older routers that
didn't have hardware encryption modules, so it was beneficial to avoid
encrypting Internet-bound traffic at the remote site, just to have the main site
have to decrypt it and send it back to the Internet. Running IPSec through a
GRE tunnel allows that, since you can tunnel Internet traffic to the main site
without encrypting it.
So, the notion of IPSec through (over) GRE does exist and it does work, though
Cisco says it's not an officially supported config. During a recent Cisco
Virtual Chalk Talk session I asked a Cisco engineer if this "feature" was liable
to go away anytime soon during and he said no, it would probably continue to
work. With the advent of VPN bundles and cheap encryption hardware it's
becoming less of an issue, but there are still a lot of people out there with
small to medium routers without such hardware who want to use IPSec to reduce
WAN charges.
The configuration for doing this is trivial - just leave the "crypto map"
command off the physical interface and put it on the Tunnel interface. The rest
of your VPN config is the same as a basic site-to-site VPN (i.e. you still need
tunnel mode).
Anyway, that's the real-life situation I've come across where IPSec through GRE
was useful.
Dana
--Dana J. Dawson djdawso@qwest.com Senior Staff Engineer CCIE #1937 Qwest Communications (612) 664-3364 600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX) Minneapolis MN 55413-2620
"Hard is where the money is."
Joe Deleonardo wrote: > About the only reason I can think of is if you had a requirement to use > ah and you weren't allowed to do NAT before IPSec and NAT Transparency > is not an option. > > ----- Original Message ----- > From: Joe Deleonardo <mailto:joe_deleonardo@hotmail.com> > To: cciesecurity@yahoogroups.com > <mailto:cciesecurity@yahoogroups.com> ; ccielab@groupstudy.com > <mailto:ccielab@groupstudy.com> ; security@groupstudy.com > <mailto:security@groupstudy.com> > Sent: Tuesday, July 15, 2003 10:08 AM > Subject: IPSec over GRE -vs- GRE over IPSec > > IPSec over GRE -vs- GRE over IPSec. > > Alright is this just a play on words or what? GRE over IPSec makes > sense, it's used to transport non unicast traffic. > > But why would you want to do IPSec over GRE. Does anyone have a > link to a config example? ... if it's something? > > Thanks, > > Joe > > > Yahoo! Groups Sponsor > ADVERTISEMENT > <http://rd.yahoo.com/M=194081.3551198.4824677.1261774/D=egroupweb/S=1705007143:HM/A=1663535/R=0/SIG=11ps6rfef/*http://www.ediets.com/start.cfm?code=30504&media=atkins> > > > To unsubscribe from this group, send an email to: > cciesecurity-unsubscribe@yahoogroups.com > > > > Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service > <http://docs.yahoo.com/info/terms/>.
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:41 GMT-3