Solved

GRE tunnel with crypto statement matching source and destination

Posted on 2007-03-26
4
400 Views
Last Modified: 2008-02-01
Conceptually trying to understand something with IPSec.  Just want to know if what I'm thinking is correct...

I have two endpoints 1.1.1.1 and 1.1.1.1.2.  The local networks on those two networks are 192.168.1.1 and 192.168.2.1 respectively.  

I setup a GRE tunnel to match the two external IPs.  I setup a cryptomap over this GRE tunnel, but in my crytpo statements I only match the gre traffic.  

I route to each network via the GRE tunnel, but that GRE tunnel is encrypted?  Normally, I would match my local networks in my crypto statement so that they are encrypted (show crypto ipsec sa), but I saw a configuration like this the other day and it got me scratching my head.  If I only match on GRE traffic, I'm seting up an IPSEC Gre tunnel but is my local traffic passing over it still secure?  

 
0
Comment
Question by:neowolf219
  • 2
  • 2
4 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18793684
You're probably looking at the typical ipsec tunnel where the tunnel is encrypted only between the end points and the local networks behind each endpoints are not even aware that their traffic is getting encrypted.

This is quite possible in site-to-site lan.

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:neowolf219
ID: 18794428
Hey Rajesh, that is correct.  My question was, those local networks are not matched in my access-list that defines interesting traffic for my crypto statement.  The only access-list for interesting traffic was as follows

access-list XXX permit gre host 1.1.1.1 host 1.1.1.2

So, the GRE traffic is what is being encrypted under IPSec, whereas my local networks are routing over the specific GRE tunnel.

Does that make sense?  Can I look at this as, well the GRE tunnel is IPSec encrypted, so therefore my local traffic going over GRE is also encrypted?

0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 18797409
Looks a little different to me, would it be possible for you to post the configuration ? (sanitized configuration-> take off the passwords part and remove the first octect of your public ip )

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:neowolf219
ID: 18803190
Below link is actually exactly what I'm looking at and makes sense.  Thanks for the responses though.  You get the points cause you were teh only one that bothered to even try to answer.  

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Router Firewall rules sonicwall ubiquiti edgerouter 3 91
Windows, IPSec and NAT-T 2 65
vpn tunneling 6 59
eigrp in site-to-site vpn 4 17
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now