Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.
Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.
GRE over IPSEC vs. IPSEC over GRE
Generic Route Encapsulation enables us bulding point to point tunnels. There are 2 kinds of tunnels GRE over IPSEC and IPSEC over GRE. They both work in tunnel mode by default but as we see in a while, work in completely different way.
We will be using the lab according to below draw
The ‘over’ word might by misleading, so when you hear ‘over’ think ‘inside’. Let’s compare both GRE solutions with appropriate configuration.
GRE over IPSEC – crypto map is applied to the physical interface, first IPSEC then GRE, entire flow is encrypted (GRE + interested traffic , EIGREP, ICMP etc)
R1
interface fa0/0
ip address 1.1.1.1 255.255.255.0
interface loopback 0
ip address 192.168.1.1 255.255.255.0
interface tunnel1
ip address 10.0.0.1 255.255.255.0
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
router eigrp 1
network 10.0.0.0 0.0.0.0
network 192.168.1.0
access-list 100 permit gre host 1.1.1.1 host 2.2.2.2
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
crypto isakmp key itbundle address 2.2.2.2
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
crypto map CRYPTO 10 ipsec-isakmp
match address 100
set peer 2.2.2.2
set transform-set TSET
interface fa0/0
crypto map CRYPTO
R2
interface fa0/0
ip address 2.2.2.2 255.255.255.0
interface loopback 0
ip address 192.168.2.1 255.255.255.0
interface tunnel1
ip address 10.0.0.2 255.255.255.0
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
router eigrp 1
network 10.0.0.0 0.0.0.0
network 192.168.2.0
access-list 100 permit gre host 2.2.2.2 host 1.1.1.1
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
crypto isakmp key itbundle address 1.1.1.1
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
crypto map CRYPTO 10 ipsec-isakmp
match address 100
set peer 1.1.1.1
set transform-set TSET
interface fa0/0
crypto map CRYPTO
Let’s have a look on the captured traffic between routers, what we see entire traffic is encrypted EIGRP, ICMP, GRE
IPSEC over GRE – crypto map is applied to the tunnel interface, first GRE then IPSEC, only interested traffic is encrypted (not GRE, routing protocol)
R1
interface Fa0/0
ip address 1.1.1.1 255.255.255.0
interface Loopback0
ip address 192.168.1.1 255.255.255.0
router eigrp 1
no auto
network 10.0.0.0 0.0.0.255
network 192.168.1.0
access-list 100 permit ip host 192.168.1.1 host 192.168.2.1
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
crypto isakmp key itbundle address 10.0.0.2
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
crypto map CRYPTO 30 ipsec-isakmp
match address 100
set peer 10.0.0.2
set transform-set TSET
interface Tunnel1
ip address 10.0.0.1 255.255.255.0
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
crypto map CRYPTO
R2
interface Fa0/0
ip address 2.2.2.2 255.255.255.0
interface Loopback0
ip address 192.168.2.1 255.255.255.0
router eigrp 1
no auto
network 10.0.0.0 0.0.0.255
network 192.168.2.0
access-list 100 permit ip host 192.168.2.1 host 192.168.1.1
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
crypto isakmp key itbundle address 10.0.0.1
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
crypto map CRYPTO 30 ipsec-isakmp
match address 100
set peer 10.0.0.1
set transform-set TSET
interface Tunnel1
ip address 10.0.0.2 255.255.255.0
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
crypto map CRYPTO
Unlike GRE over IPSec we see that EIGRP traffic is not encrypted only ICMP
