From: Joe Deleonardo (jdeleonardo@cox.net)
Date: Wed Jul 16 2003 - 15:53:40 GMT-3
Thank you, that's the answer then.
That's why I can't find a config for it, "it's not an officially supported
config."
----- Original Message -----
From: Dana J. Dawson
To: Joe Deleonardo
Cc: cciesecurity@yahoogroups.com ; ccielab@groupstudy.com ;
security@groupstudy.com
Sent: Wednesday, July 16, 2003 9:11 AM
Subject: Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec
The scenario I encountered where this would be useful involved a remote site
with VPN connectivity to the main site across the Internet. However, for
administrative reasons, the customer wanted the remote site's Internet
access to
use the main site rather than directly. Also, they had older routers that
didn't have hardware encryption modules, so it was beneficial to avoid
encrypting Internet-bound traffic at the remote site, just to have the main
site
have to decrypt it and send it back to the Internet. Running IPSec through
a
GRE tunnel allows that, since you can tunnel Internet traffic to the main
site
without encrypting it.
So, the notion of IPSec through (over) GRE does exist and it does work,
though
Cisco says it's not an officially supported config. During a recent Cisco
Virtual Chalk Talk session I asked a Cisco engineer if this "feature" was
liable
to go away anytime soon during and he said no, it would probably continue to
work. With the advent of VPN bundles and cheap encryption hardware it's
becoming less of an issue, but there are still a lot of people out there
with
small to medium routers without such hardware who want to use IPSec to
reduce
WAN charges.
The configuration for doing this is trivial - just leave the "crypto map"
command off the physical interface and put it on the Tunnel interface. The
rest
of your VPN config is the same as a basic site-to-site VPN (i.e. you still
need
tunnel mode).
Anyway, that's the real-life situation I've come across where IPSec through
GRE
was useful.
Dana
--
Dana J. Dawson djdawso@qwest.com
Senior Staff Engineer CCIE #1937
Qwest Communications (612) 664-3364
600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX)
Minneapolis MN 55413-2620
"Hard is where the money is."
Joe Deleonardo wrote:
> About the only reason I can think of is if you had a requirement to use
> ah and you weren't allowed to do NAT before IPSec and NAT Transparency
> is not an option.
>
> ----- Original Message -----
> From: Joe Deleonardo <mailto:joe_deleonardo@hotmail.com>
> To: cciesecurity@yahoogroups.com
> <mailto:cciesecurity@yahoogroups.com> ; ccielab@groupstudy.com
> <mailto:ccielab@groupstudy.com> ; security@groupstudy.com
> <mailto:security@groupstudy.com>
> Sent: Tuesday, July 15, 2003 10:08 AM
> Subject: IPSec over GRE -vs- GRE over IPSec
>
> IPSec over GRE -vs- GRE over IPSec.
>
> Alright is this just a play on words or what? GRE over IPSec makes
> sense, it's used to transport non unicast traffic.
>
> But why would you want to do IPSec over GRE. Does anyone have a
> link to a config example? ... if it's something?
>
> Thanks,
>
> Joe
>
>
> Yahoo! Groups Sponsor
> ADVERTISEMENT
>
<http://rd.yahoo.com/M=194081.3551198.4824677.1261774/D=egroupweb/S=170500714
3:HM/A=1663535/R=0/SIG=11ps6rfef/*http://www.ediets.com/start.cfm?code=30504&
media=atkins>
>
>
> To unsubscribe from this group, send an email to:
> cciesecurity-unsubscribe@yahoogroups.com
>
>
>
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
> <http://docs.yahoo.com/info/terms/>.
Yahoo! Groups Sponsor
ADVERTISEMENT
To unsubscribe from this group, send an email to:
cciesecurity-unsubscribe@yahoogroups.com
Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:42 GMT-3