I was confusing IPSec over GRE this term before. Spent some hours to google Internet. Found out lots of people doesnot really understanding what are difference between them. Eventually found this answer at http://onlinestudylist.com/archives/ccie_security/2009-August/018744.html
" There is no terminology as IPSec over GRE. It is always GREoIPSec. But the question, do you want to put the IPSec into GRE or GRE into IPSec. It all depends on your configuration. GREoIPSec is mostly used, when we need encryption but the traffic is not IPSec compatible. For example, multicast or non IP traffic can't be encapsulated directly into IPSec. Hence first we encapsulate using GRE and then place it in IPSec. When you apply crypto map directly on the GRE tunnel interface, IPSec encapulates the interesting traffic and then this IPSec packet is placed into GRE. interface Tunnel0 ip address 10.20.30.40 tunnel source FastEthernet1/0 tunnel destination 10.20.30.43 crypto map vpn ----------------> IPSec over GRE or interface Tunnel0 ip address 10.20.30.40 tunnel source FastEthernet1/0 tunnel destination 10.20.30.43 tunnel protection ipsec profile mine ----------->IPSec over GRE
When you apply crypto map on the physical interface to which the GRE tunnel is sourced and have interesting traffic as GRE, then the GRE traffic is placed into IPSec. interface Tunnel0 ip address 10.20.30.40 255.255.255.0 tunnel source FastEthernet1/0 tunnel destination 10.20.30.43 int FastEthernet1/0 crypto map vpn -------------------> GRE over IPsec
"
No comments:
Post a Comment