GRE tunnel with crypto statement matching source and destination

Conceptually trying to understand something with IPSec.  Just want to know if what I'm thinking is correct...

I have two endpoints 1.1.1.1 and 1.1.1.1.2.  The local networks on those two networks are 192.168.1.1 and 192.168.2.1 respectively.  

I setup a GRE tunnel to match the two external IPs.  I setup a cryptomap over this GRE tunnel, but in my crytpo statements I only match the gre traffic.  

I route to each network via the GRE tunnel, but that GRE tunnel is encrypted?  Normally, I would match my local networks in my crypto statement so that they are encrypted (show crypto ipsec sa), but I saw a configuration like this the other day and it got me scratching my head.  If I only match on GRE traffic, I'm seting up an IPSEC Gre tunnel but is my local traffic passing over it still secure?  

 
LVL 3
neowolf219Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
You're probably looking at the typical ipsec tunnel where the tunnel is encrypted only between the end points and the local networks behind each endpoints are not even aware that their traffic is getting encrypted.

This is quite possible in site-to-site lan.

Cheers,
Rajesh
0
neowolf219Author Commented:
Hey Rajesh, that is correct.  My question was, those local networks are not matched in my access-list that defines interesting traffic for my crypto statement.  The only access-list for interesting traffic was as follows

access-list XXX permit gre host 1.1.1.1 host 1.1.1.2

So, the GRE traffic is what is being encrypted under IPSec, whereas my local networks are routing over the specific GRE tunnel.

Does that make sense?  Can I look at this as, well the GRE tunnel is IPSec encrypted, so therefore my local traffic going over GRE is also encrypted?

0
rsivanandanCommented:
Looks a little different to me, would it be possible for you to post the configuration ? (sanitized configuration-> take off the passwords part and remove the first octect of your public ip )

Cheers,
Rajesh
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
neowolf219Author Commented:
Below link is actually exactly what I'm looking at and makes sense.  Thanks for the responses though.  You get the points cause you were teh only one that bothered to even try to answer.  

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.