From: Larson, Chris (CLarson@usaid.gov)
Date: Wed Jul 16 2003 - 14:28:55 GMT-3
It has been awhile, but the last time I actually did something like that I
don't think you could not put IPSEC into a GRE tunnel, you had to encrypt
the GRE in IPSEC.
Maybe that is no longer the case. I do not see the point of putting IPSEC
inside GRE. I can see why you might encrypt a GRE tunnel using IPSEC, but
not put IPSEC into GRE.
Can someone confirm that that is even possible. Like a cofig or doc?
> -----Original Message-----
> From: Joe Deleonardo [SMTP:joe_deleonardo@hotmail.com]
> Sent: Tuesday, July 15, 2003 2:01 PM
> To: Charles Church; cciesecurity@yahoogroups.com;
> ccielab@groupstudy.com; security@groupstudy.com
> Subject: Re: IPSec over GRE -vs- GRE over IPSec
>
> Doesn't that seem like the same thing to you?
>
> First you create a GRE tunnel. Then you create an IPSec Tunnel and run the
> IPSec tunnel over the GRE tunnel. I guess what you're saying is run the
> IPX
> traffic over the GRE tunnel in tandem with the IPSec tunnel?
>
> But why bother have the IPSec run over the GRE tunnel at all?
>
> Every example I find has the crypto map bound to the tunnel and the
> physical
> interface. That would seem to indicate that's it's GRE over IPSec.
>
> I would think if you wanted to do IPSec over GRE you'd just bind the
> crypto
> map to the tunnel interface only. I need to go do this in the lab to see
> if
> this is possible.
>
> Unless maybe you wanted to take some load of a core router and have the
> IPSec tunnel decrypt on a distribution router. But that still doesn't
> make
> sense, just let the IPSec tunnel through. You're going to have to let the
> GRE tunnel through anyway.
>
> Unless there's a situation where there is some advantages with NAT.
> Hmmm....
>
>
> ----- Original Message -----
> From: "Charles Church" <cchurch@wamnet.com>
> To: "Joe Deleonardo" <joe_deleonardo@hotmail.com>;
> <cciesecurity@yahoogroups.com>; <ccielab@groupstudy.com>;
> <security@groupstudy.com>
> Sent: Tuesday, July 15, 2003 10:32 AM
> Subject: RE: IPSec over GRE -vs- GRE over IPSec
>
>
> > I suppose if you had a large amount of IPX traffic that didn't need to
> be
> > encrypted but did need to be tunneled over the IP networks, then IPSec
> over
> > GRE might make sense. No sense wasting router CPU if you don't need to
> > encrypt something.
> >
> > Chuck Church
> > CCIE #8776, MCNE, MCSE
> > Wam!Net Government Services
> > 13665 Dulles Technology Dr. Ste 250
> > Herndon, VA 20171
> > Office: 703-480-2569
> > Cell: 703-819-3495
> > cchurch@wamnet.com
> > PGP key:
> http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Joe Deleonardo
> > Sent: Tuesday, July 15, 2003 1:09 PM
> > To: cciesecurity@yahoogroups.com; ccielab@groupstudy.com;
> > security@groupstudy.com
> > Subject: IPSec over GRE -vs- GRE over IPSec
> >
> >
> > IPSec over GRE -vs- GRE over IPSec.
> >
> > Alright is this just a play on words or what? GRE over IPSec makes
> sense,
> > it's used to transport non unicast traffic.
> >
> > But why would you want to do IPSec over GRE. Does anyone have a link to
> a
> > config example? ... if it's something?
> >
> > Thanks,
> >
> > Joe
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:41 GMT-3