Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec

From: Joe Deleonardo (jdeleonardo@cox.net)
Date: Wed Jul 16 2003 - 15:49:38 GMT-3

Do you happen to have your config for that?

Because IPSec only supports unicast traffic. Did you use the neighbor
statement with EIGRP? Did you apply the crypto map to the tunnel and physical
interface?

When you sniffed the traffic were you actually only seeing a GRE tunnel?

The thing is I can find 1000 config examples for GRE over IPSec. I haven't
one example for IPSec over GRE.

I mean everyone see's where I am with this right? You send a packet over ISDN
or over ATM, you don't send ATM over a packet.

I'm not trying to be difficult or argue with any one, it's just a bit of a
fascination now. I'm just trying to see if IPSec over GRE is in fact a
legitimate design. Because it would seem to me that to send the IPSec traffic
over the GRE you'd have apply the crypto map to just the tunnel interface.
And another way besides sniffing the traffic to verify that GRE is carrying
the IPSec is to deny GRE over the IPSec tunnel.

----- Original Message -----
  From: Tracy Blackmore
  To: 'Joe Deleonardo'
  Cc: 'cciesecurity@yahoogroups.com'
  Sent: Wednesday, July 16, 2003 3:57 AM
  Subject: RE: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec

  A recent contract that I worked required me to pass EIGRP routing
  information thru an IPSec tunnel over the Internet when the frame-relay
  connection dropped.

  The only way to accomplish this was by first establishing a GRE tunnel
  (which would pass unencrypted routing traffic) and then establishing the
  IPSec tunnel over the GRE tunnel.

  I spent a couple of weeks testing, debugging, and sniffing and could not
  find another way to pass routing traffic through IPSec. If anyone has a
way
  to do this, please let me know.

  Tracy

  -----Original Message-----
  From: Joe Deleonardo [mailto:jdeleonardo@cox.net]
  Sent: Tuesday, July 15, 2003 5:55 PM
  To: Szabo, Vilmos; cciesecurity@yahoogroups.com; ccielab@groupstudy.com;
  security@groupstudy.com
  Subject: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec

  I agree. Adding a GRE tunnel adds additional over head. You can send
  unicast routing updates. But that solution looks at Voice and Video. I'm
  not up on design issues for voice and video, so I can't comment on that
  aspect.

  This example is still GRE over IPSec, not IPSec over GRE. The only
  difference in this example that the IPSec tunnel is in transport mode.

  Transport mode is more efficient than tunnel mode. Transport mode is a
mode
  usually established between two hosts, but it can be established between
two
  security gateways. With transport mode however the IP header is not
  encrypted. You can't determine the contents of the packets but a traffic
  analysis can be performed. So I guess the question would be a case by case
  question. How important is it that traffic analysis not be performed?

  The original question is still there. Is there any reason to run IPSec
over
  GRE. Or is there no such thing? It seems so far that the two phrases have
  just been used interchangeably? Even by Cisco. I re-read their SAFE paper
  today and they use IPSec over GRE and then at the bottom have examples for
  GRE over IPSec.

  ----- Original Message -----
  From: "Szabo, Vilmos" <VS183600@exchange.UnitedKingdom.NCR.COM>
  To: "'Joe Deleonardo'" <jdeleonardo@cox.net>;
  <cciesecurity@yahoogroups.com>; <ccielab@groupstudy.com>;
  <security@groupstudy.com>
  Sent: Tuesday, July 15, 2003 3:34 PM
  Subject: RE: IPSec over GRE -vs- GRE over IPSec

> Joe,
>
> One scenario for IPSec over GRE is 'IPSec Virtual Private Network
  Resilience
> Solutions' see the link:
>
  http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns241/netbr09186a008018
5
> 726.html
>
> ... but I would argue with the author on this solution because it
requires
> two GRE tunnels + two IPSec tunnels between Remote and Central side.
>
> In my opinion it is more simple and flexible to configure single IPSec
> tunnel so that its SRC and DST are terminated on Loopback interfaces on
> Remote and Central site routers and a Dynamic Routing protocol gives the
> resilency for IPSec tunnel.
>
> Let me know your opinion!
>
> Regards,
>
> Vilmos
>
> -----Original Message-----
> From: Joe Deleonardo [mailto:jdeleonardo@cox.net]
> Sent: 15 July 2003 19:38
> To: cciesecurity@yahoogroups.com; ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: Re: IPSec over GRE -vs- GRE over IPSec
>
>
> About the only reason I can think of is if you had a requirement to use
ah
> and
> you weren't allowed to do NAT before IPSec and NAT Transparency is not an
> option.
> ----- Original Message -----
> From: Joe Deleonardo
> To: cciesecurity@yahoogroups.com ; ccielab@groupstudy.com ;
> security@groupstudy.com
> Sent: Tuesday, July 15, 2003 10:08 AM
> Subject: IPSec over GRE -vs- GRE over IPSec
>
>
> IPSec over GRE -vs- GRE over IPSec.
>
> Alright is this just a play on words or what? GRE over IPSec makes
  sense,
> it's used to transport non unicast traffic.
>
> But why would you want to do IPSec over GRE. Does anyone have a link
to
  a
> config example? ... if it's something?
>
> Thanks,
>
> Joe
>

  To unsubscribe from this group, send an email to:
  cciesecurity-unsubscribe@yahoogroups.com

  Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

        Yahoo! Groups Sponsor
              ADVERTISEMENT

  To unsubscribe from this group, send an email to:
  cciesecurity-unsubscribe@yahoogroups.com

  Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:42 GMT-3