From: Alexander Arsenyev (GU/ETL) (alexander.arsenyev@ericsson.com)
Date: Thu Nov 03 2005 - 12:51:42 GMT-3
Depending on IOS version, crypto-map on Tunnel interface may not be required, see
http://www.cisco.com/warp/public/471/vpn5k_stat.shtml#configs
<quote>
Note: With Cisco IOS Software Releases 12.2(13)T and later (higher numbered T-train codes, 12.3 and later codes), you must apply the configured IPSec crypto map to the physical interface only. You no longer have to apply the crypto map on the GRE tunnel interface. Having the crypto map on the physical and the tunnel interfaces when you use Cisco IOS Software Releases 12.2.(13)T and later should still work, but Cisco Systems recommends that you apply the crypto map on the physical interface only.
</quote>
To have GRE tunnel run in the clear between R2 and R3 just configure Tunnel interface on R3 and all crypto stuff on R2 and R1.
HTH
Cheers
Alex
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Geert Nijs
Sent: 03 November 2005 15:43
To: ccielab@groupstudy.com
Subject: GRE encryption with IP SEC
Hi group,
When encrypting a GRE Tunnel with IP SEC, the crypto map must be applied to the Tunnel interface AND to the physical interface.
I understand the physical interface, but why does it need to be specified on the tunnel interface ? Is this really necessary and what is the effect ?
I am trying to setup sort of a special configuration:
Router R1 is connected to R2 and R2 is connected to R3
I have a GRE tunnel running from R1 to R3 using loopback addresses.
Between R1 and R2, this tunnel needs to be encrypted, not from R2 to R3
Is this possible ?
regards,
Geert
#####################################################################################
Simac N.V. trades under the commercial name Simac ICT Belgium.
This e-mail and any attached files are confidential and may be legally privileged.
If you are not the addressee, any disclosure, reproduction, copying, distribution,
or other dissemination or use of this communication is strictly prohibited.
If you have received this transmission in error please notify Simac immediately
and then delete this e-mail.
Simac has taken all reasonable precautions to avoid virusses in this email.
Simac does not accept liability for damage by virusses, for the correct and complete
transmission of the information, nor for any delay or interruption of the transmission,
nor for damages arising from the use of or reliance on the information.
All e-mail messages addressed to, received or sent by Simac or Simac employees
are deemed to be professional in nature. Accordingly, the sender or recipient of
these messages agrees that they may be read by other Simac employees than the official
recipient or sender in order to ensure the continuity of work-related activities
and allow supervision thereof.
#####################################################################################
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:05 GMT-3