Although IPsec provides a secure method for tunneling data across an IP network, it has limitations.
IPsec does not support IP broadcast or IP multicast, preventing the use of protocols that rely on these
features, such as routing protocols. IPsec also does not support the use of multiprotocol traffic.
Generic Route Encapsulation (GRE) is a protocol that can be used to “carry” other passenger protocols,
such as IP broadcast or IP multicast, as well as non-IP protocols.
Although IPsec provides a secure method for tunneling data across an IP network, it has limitations.
IPsec does not support IP broadcast or IP multicast, preventing the use of protocols that rely on these
features, such as routing protocols. IPsec also does not support the use of multiprotocol traffic.
Generic Route Encapsulation (GRE) is a protocol that can be used to “carry” other passenger protocols,
such as IP broadcast or IP multicast, as well as non-IP protocols.
Before the introduction of VTI, using GRE over IPSec was the only way to configure dynamic routing over encrypted tunnels.
To encrypt GRE tunneled traffic, you can use also an IPSec encryption profile (like with VTI implementation)
Scenario A (with crypto map)
- R1 config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 172.20.1.6
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto map VPN 10 ipsec-isakmp
match address GRE_VPN
set peer 172.20.1.6
set transform-set 3DES
ip access-list extended GRE_VPN
permit gre host 172.20.1.2 host 172.20.1.6
interface Tunnel100
ip address 192.168.1.2 255.255.255.252
tunnel source 172.20.1.2
tunnel destination 172.20.1.6
tunnel mode gre ip
interface FastEthernet1/0
ip address 172.20.1.2 255.255.255.252
crypto map VPN
- R2 config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 172.20.1.2
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto map VPN 10 ipsec-isakmp
match address GRE_VPN
set peer 172.20.1.2
set transform-set 3DES
ip access-list extended GRE_VPN
permit gre host 172.20.1.6 host 172.20.1.2
interface Tunnel100
ip address 192.168.1. 255.255.255.252
tunnel source 172.20.1.6
tunnel destination 172.20.1.2
tunnel mode gre ip
interface FastEthernet1/0
ip address 172.20.1.6 255.255.255.252
crypto map VPN
Scenario B (with ipsec profile)
- R1 config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 172.20.1.6
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto ipsec profile VTI
set transform-set 3DES
interface Tunnel100
ip address 192.168.1.2 255.255.255.252
tunnel source 172.20.1.2
tunnel destination 172.20.1.6
tunnel mode gre ip
tunnel protection ipsec profile VTI
- R2 config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 172.20.1.2
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto ipsec profile VTI
set transform-set 3DES
interface Tunnel100
ip address 192.168.1.1 255.255.255.252
tunnel source 172.20.1.6
tunnel destination 172.20.1.2
tunnel mode gre ip
tunnel protection ipsec profile VTI
No comments:
Post a Comment