[c-nsp] IPSEC - CISCO (GRE and NAT too!)
Christian Zeng
christian at zengl.net
Fri Nov 3 15:12:30 EST 2006
Hi,
> 1) On R1 and R3 you have :
>
> ip route 10.0.0.5 255.255.255.255 10.0.0.2
> and
> ip route 10.0.0.1 255.255.255.255 10.0.0.6
>
> respectively. That is the "next hop" for each of the 2 routers?
>(Thus not showing in the configuration) Am I correct on this?
Yes, its the router between R1 and R3 - R2 :) - providing dumb ip
connectivity.
> 2) In your example you have both the GRE and the IPSEC on the
>outside interface. In the example I'm looking at otherwise
>
>http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml
The example is complicated and confusing, because it introduces IPX and
a PIX. I wouldnt use this as a starting or reference point.
> They have the IPSEC on the outside interfaces, and Tunnel from
>the inside interfaces. Is there any differences between one versus the
>other, or does it change how it does things? I need the IPSec as the
>outer layer, and the GRE as the inner layer because I am dealing with
>NAT.
Hm, not sure at what point you apply NAT, but my example does exactly
what you need. Traffic from 192.168.10.0/24 and 192.168.20.0/24 is
encapsulated into a GRE tunnel first and then the GRE tunnel is
encrypted in IPSec and send out to the opposite IPSec peer.
In older IOS versions you had to apply the crypto map to both the GRE
tunnel and the outgoing interface. i never had to configure this with
newer IOS versions (12.3+) - the crypto map goes only to the outside
interface.
The example you are referring to has the crypto map applied to both
interfaces, maybe this confuses you.
Best regards,
Christian
More information about the cisco-nsp
mailing list