Thursday, October 22, 2009

IPSEC, SDM, GRE over IPSEC...or vice-versa!

So I actually read about 2 more chapters in the Official Exam Cert Guide today, and watched two nuggets.  I reinforced what I learned last night about IPSEC tunnel CLI configuration on GNS3 at work today.  I actually configured everything from memory, and got it correct the first time!  Again the order is:
  1. Configure ISAKMP SA (P1)
  2. Configure IPSEC SA (P2)
  3. Define interesting traffic via extended ACL
  4. Configure Crypto map
  5. Bind crypto map to interface
  6. (Configure NAT ACL as necessary)
So I was actually pretty proud of that, and everything made perfect sense as I was configuring it.  So today I finished up the IPSEC chapters in the book, and watched the SDM IPSEC Tunnel config, and the GRE/IPSEC videos.  Basic GRE tunnel is as follows:

int tunnel [number]
ip address [ip] [netmask]
tunnel source [int type][num]
tunnel destination [ip]
tunnel mode [type][type] //default is gre ip

So GRE is great in that it can transport routing protocols, which IPSEC cannot do.  However it is inherently insecure, and so IPSEC over GRE is a great option.  GRE adds about 24 bytes to the header, and has an additional 12 bytes it can add as well as optional attributes.  Some of the newer IOS versions do allow the passing of multicast traffic through an IPSEC tunnel.  I will be configuring a IPSEC/GRE tunnel via cli later, but tonight was over the SDM config of the tunnel.  Good stuff, can wait to dive into the labs for these sections.

No comments:

Post a Comment