- Posts: 60
- Thank you received: 0
IPSec GRE Tunnels VS Traditional Site to Site VPN's
13 years 9 months ago #36581
by JamieP
Jamie Parks
Network Engineer, UK
IPSec GRE Tunnels VS Traditional Site to Site VPN's was created by JamieP
Hi guys,
I'm really interested to see what everyones opinion on this is.
My company currently uses what i would call traditional site to site VPN's using crypto maps, main site has a pair of ASA's in HA and remote sites use ISR's like 1801's.
I've recently been playing in my lab with GRE tunnels using IPSec protection (note this is config from my labs, so ip's and key's are just randomly selected)
[code:1]crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key oaWDS0HSJS0 address 18.4.27.2
!
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_TUNNEL
set transform-set esp-aes256-sha
!
interface Tunnel13
ip address 10.0.0.1 255.255.255.252
tunnel source fa0/0
tunnel destination 18.4.27.2
tunnel protection ipsec profile IPSEC_TUNNEL[/code:1]
I've never really seen them in use before, but it seems pretty good to me, because you can put a routing protocol over it without any special modifications, plus you dont have the headache of "interesting traffic" ACL's
The only draw back for me is that ASA's dont support GRE tunnels, but i am looking at redesigning our enterprise edge, so i'm now thinking would it be worth replacing the ASA's with some high spec routers to handel VPN traffic.
what's anyones opinion on this?
I'm really interested to see what everyones opinion on this is.
My company currently uses what i would call traditional site to site VPN's using crypto maps, main site has a pair of ASA's in HA and remote sites use ISR's like 1801's.
I've recently been playing in my lab with GRE tunnels using IPSec protection (note this is config from my labs, so ip's and key's are just randomly selected)
[code:1]crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key oaWDS0HSJS0 address 18.4.27.2
!
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_TUNNEL
set transform-set esp-aes256-sha
!
interface Tunnel13
ip address 10.0.0.1 255.255.255.252
tunnel source fa0/0
tunnel destination 18.4.27.2
tunnel protection ipsec profile IPSEC_TUNNEL[/code:1]
I've never really seen them in use before, but it seems pretty good to me, because you can put a routing protocol over it without any special modifications, plus you dont have the headache of "interesting traffic" ACL's
The only draw back for me is that ASA's dont support GRE tunnels, but i am looking at redesigning our enterprise edge, so i'm now thinking would it be worth replacing the ASA's with some high spec routers to handel VPN traffic.
what's anyones opinion on this?
Jamie Parks
Network Engineer, UK
12 years 7 months ago #37992
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: IPSec GRE Tunnels VS Traditional Site to Site VPN's
IPSec GRE Tunnels and Site-to-Site VPNs are now covered extensively in our Cisco Technical Knowledgebase Section.
Here are a few topics you can read up on, which include theory and configuration commands:
- Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers
- Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
- Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode
- Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode - What's the Difference?
Here are a few topics you can read up on, which include theory and configuration commands:
- Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers
- Configuring Point-to-Point GRE VPN Tunnels - Unprotected GRE & Protected GRE over IPSec Tunnels
- Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode
- Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode - What's the Difference?
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.126 seconds