?
Solved

GRE tunnel with crypto statement matching source and destination

Posted on 2007-03-26
4
Medium Priority
?
428 Views
Last Modified: 2008-02-01
Conceptually trying to understand something with IPSec.  Just want to know if what I'm thinking is correct...

I have two endpoints 1.1.1.1 and 1.1.1.1.2.  The local networks on those two networks are 192.168.1.1 and 192.168.2.1 respectively.  

I setup a GRE tunnel to match the two external IPs.  I setup a cryptomap over this GRE tunnel, but in my crytpo statements I only match the gre traffic.  

I route to each network via the GRE tunnel, but that GRE tunnel is encrypted?  Normally, I would match my local networks in my crypto statement so that they are encrypted (show crypto ipsec sa), but I saw a configuration like this the other day and it got me scratching my head.  If I only match on GRE traffic, I'm seting up an IPSEC Gre tunnel but is my local traffic passing over it still secure?  

 
0
Comment
Question by:neowolf219
  • 2
  • 2
4 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18793684
You're probably looking at the typical ipsec tunnel where the tunnel is encrypted only between the end points and the local networks behind each endpoints are not even aware that their traffic is getting encrypted.

This is quite possible in site-to-site lan.

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:neowolf219
ID: 18794428
Hey Rajesh, that is correct.  My question was, those local networks are not matched in my access-list that defines interesting traffic for my crypto statement.  The only access-list for interesting traffic was as follows

access-list XXX permit gre host 1.1.1.1 host 1.1.1.2

So, the GRE traffic is what is being encrypted under IPSec, whereas my local networks are routing over the specific GRE tunnel.

Does that make sense?  Can I look at this as, well the GRE tunnel is IPSec encrypted, so therefore my local traffic going over GRE is also encrypted?

0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 18797409
Looks a little different to me, would it be possible for you to post the configuration ? (sanitized configuration-> take off the passwords part and remove the first octect of your public ip )

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:neowolf219
ID: 18803190
Below link is actually exactly what I'm looking at and makes sense.  Thanks for the responses though.  You get the points cause you were teh only one that bothered to even try to answer.  

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month13 days, 22 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question