I do have the same question, why don’t we just apply the crypto map to the GRE tunnel interface?
Hello Tom
Applying the crypto map directly to the GRE tunnel interface is not typically done because of the way that GRE and IPsec interact.
GRE is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network. However, GRE itself doesn’t provide any encryption.
On the other hand, IPsec provides encryption and authentication at the network layer. It’s commonly used in conjunction with GRE to secure the data that’s being transported within the GRE tunnel.
When we apply the crypto map to the physical interface, the router will encrypt the GRE and the encapsulated data payload. This means that the entire GRE packet (including the GRE header) will be encrypted, which enhances the security of the data being transported.
If we apply the crypto map directly to the GRE tunnel interface, only the payload within the GRE tunnel (not the GRE header itself) would be encrypted. This could potentially expose more information to potential attackers and provide less overall security. Does that make sense?
I hope this has been helpful!
Laz
Just out of curiosity, if ISP router was replaced by ISP cloud would this still work? What I mean is HQ and Branch still connect to an ISP router with those same networks and interfaces, but on the ISP side it’s not a singular router but two or more devices. Would this all still play out or would there need to be changes?
Hello William
Yes it would work. The prerequisite here is that the Fa0/0 interfaces of the HQ and Branch routers are reachable to each other. It doesn’t matter if there’s one router between them or more. The idea is that the ISP router represents any network that provides connectivity between the two devices. In many real-world scenarios, this network is typically the internet itself.
I hope this has been helpful!
Laz
1 Like