Solved

GRE tunnel with crypto statement matching source and destination

Posted on 2007-03-26
4
406 Views
Last Modified: 2008-02-01
Conceptually trying to understand something with IPSec.  Just want to know if what I'm thinking is correct...

I have two endpoints 1.1.1.1 and 1.1.1.1.2.  The local networks on those two networks are 192.168.1.1 and 192.168.2.1 respectively.  

I setup a GRE tunnel to match the two external IPs.  I setup a cryptomap over this GRE tunnel, but in my crytpo statements I only match the gre traffic.  

I route to each network via the GRE tunnel, but that GRE tunnel is encrypted?  Normally, I would match my local networks in my crypto statement so that they are encrypted (show crypto ipsec sa), but I saw a configuration like this the other day and it got me scratching my head.  If I only match on GRE traffic, I'm seting up an IPSEC Gre tunnel but is my local traffic passing over it still secure?  

 
0
Comment
Question by:neowolf219
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18793684
You're probably looking at the typical ipsec tunnel where the tunnel is encrypted only between the end points and the local networks behind each endpoints are not even aware that their traffic is getting encrypted.

This is quite possible in site-to-site lan.

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:neowolf219
ID: 18794428
Hey Rajesh, that is correct.  My question was, those local networks are not matched in my access-list that defines interesting traffic for my crypto statement.  The only access-list for interesting traffic was as follows

access-list XXX permit gre host 1.1.1.1 host 1.1.1.2

So, the GRE traffic is what is being encrypted under IPSec, whereas my local networks are routing over the specific GRE tunnel.

Does that make sense?  Can I look at this as, well the GRE tunnel is IPSec encrypted, so therefore my local traffic going over GRE is also encrypted?

0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 18797409
Looks a little different to me, would it be possible for you to post the configuration ? (sanitized configuration-> take off the passwords part and remove the first octect of your public ip )

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:neowolf219
ID: 18803190
Below link is actually exactly what I'm looking at and makes sense.  Thanks for the responses though.  You get the points cause you were teh only one that bothered to even try to answer.  

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question