[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

GRE tunnel with crypto statement matching source and destination

Posted on 2007-03-26
4
Medium Priority
?
422 Views
Last Modified: 2008-02-01
Conceptually trying to understand something with IPSec.  Just want to know if what I'm thinking is correct...

I have two endpoints 1.1.1.1 and 1.1.1.1.2.  The local networks on those two networks are 192.168.1.1 and 192.168.2.1 respectively.  

I setup a GRE tunnel to match the two external IPs.  I setup a cryptomap over this GRE tunnel, but in my crytpo statements I only match the gre traffic.  

I route to each network via the GRE tunnel, but that GRE tunnel is encrypted?  Normally, I would match my local networks in my crypto statement so that they are encrypted (show crypto ipsec sa), but I saw a configuration like this the other day and it got me scratching my head.  If I only match on GRE traffic, I'm seting up an IPSEC Gre tunnel but is my local traffic passing over it still secure?  

 
0
Comment
Question by:neowolf219
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18793684
You're probably looking at the typical ipsec tunnel where the tunnel is encrypted only between the end points and the local networks behind each endpoints are not even aware that their traffic is getting encrypted.

This is quite possible in site-to-site lan.

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:neowolf219
ID: 18794428
Hey Rajesh, that is correct.  My question was, those local networks are not matched in my access-list that defines interesting traffic for my crypto statement.  The only access-list for interesting traffic was as follows

access-list XXX permit gre host 1.1.1.1 host 1.1.1.2

So, the GRE traffic is what is being encrypted under IPSec, whereas my local networks are routing over the specific GRE tunnel.

Does that make sense?  Can I look at this as, well the GRE tunnel is IPSec encrypted, so therefore my local traffic going over GRE is also encrypted?

0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 18797409
Looks a little different to me, would it be possible for you to post the configuration ? (sanitized configuration-> take off the passwords part and remove the first octect of your public ip )

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:neowolf219
ID: 18803190
Below link is actually exactly what I'm looking at and makes sense.  Thanks for the responses though.  You get the points cause you were teh only one that bothered to even try to answer.  

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question