[c-nsp] Virtual Tunnel Interface - experiences?

Chris Moore chris.moore at gmd.com
Thu Nov 17 10:37:01 EST 2005


Hi Christian, I'm jumping in in the middle of a conversation where I
haven't read the earlier threads so forgive me if the following comments
are off-base.

GRE doesn't do encryption - you need to encrypt the tunnel with IPSec.

The crypto map is super-generic but very specific at the same time. The
crypto map specifies GRE only between the tunnel endpoints. Then it just
encrypts everything that happens to be going over the tunnel. This has
the advantage of separating routing from encryption. We just run OSPF
over the tunnel for our purposes.

Simple sample config below. We just use preshared keys for our purposes.
Hope it helps.....

crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport

crypto map Tunnel_Encrypt 1 ipsec-isakmp
 set peer 172.17.2.6
 set security-association lifetime seconds 190
 set transform-set strong
 match address 110 

interface Tunnel1
 ip address 172.17.2.13 255.255.255.252
 tunnel source Serial0/1/0
 tunnel destination 172.17.2.6

interface Serial0/1/0
 ip address 172.17.2.5 255.255.255.252
 no cdp enable
 crypto map Tunnel_Encrypt

access-list 110 permit gre host 172.17.2.5 host 172.17.2.6




Regards, Chris



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Zeng
Sent: Thursday, November 17, 2005 1:40 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Virtual Tunnel Interface - experiences?

* Kevin Graham <mahargk at gmail.com> wrote:
>This said, consider using tunnel protection w/ GRE; config is the same 
>the same as VTI, just specify encap gre in place of ipsec ipv4. You 
>will have the obvious overhead of an additional encapsulation header, 
>but you'll still have the configuration simplicity of VTI (and its a 
>one-line change per tunnel should you decide to go w/VTI).

Thanks for the feedback.

Do you suggest using only GRE for securing/encapsulating the tunnel or
do you mean that the VTI/GRE tunnel is encapsulated with an additional
layer of IPSec?

When only using GRE, I'm concerned about tunnel security. At the moment,
we're authenticating IPSec tunnels from spokes with dynamic IP addresses
through IKE RSA sigs (certificates).

Having only GRE as the tunnel protocol: it wouldn't provide advanced
authentication/key exchange methods as IKE with certificates, would it?

When using IPSec on top of GRE encapsulated tunnel: How "generic" is the
cryptomap definition then? Does it only describe the traffic flow
between the GRE tunnel endpoints?

>The other big advantage is tunnel protection profiles (w/ GRE) have 
>been supported since atleast 12.3 mainline (can't find it in FN to be 
>sure futher back), so 12.3(14)T or 12.4 aren't a prerequisite.

Yes, running 12.4 is one of our major concerns. But anyway, show me a GD
release for 83x routers ;-)

>As you plan, keep in mind that crypto maps and tunnel protection do not

>play nicely together on the same router (atleast under early 12.3's)...

Good point; from what I've seen in the testbed, both features wont play
together at all (cryptomap and VTI with IPSec tunnel protection).

Best regards,


Christian
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


**********************************************************************
Confidential/Proprietary Note

The information in this email is confidential and may be legally privileged.  Access to this email by anyone other than the intended addressee is unauthorized.  If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful.  If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.  Thank you. 
Guardian Mtg Documents, Inc.
225 Union Boulevard, Suite 200
Lakewood, CO 80228.
**********************************************************************




More information about the cisco-nsp mailing list