GRE over IPSec with Hub and Remote Sites

Hi Rene,

I am confused about the two term GRE over IPSec or IPSec over GRE . Both are same ??? if not then what is the difference between two. Many thanks

br//
zaman

Hello again Mohammad.

Usually, when one uses the term GRE over IPSec, we are usually talking about IPSec tunnel mode. When we are referring to IPSec over GRE, it usually means using IPSec transport mode. But again, there is no clear cut definition in such terminology. For more information about tunnel and transport mode, take a look at this other post in which I responded to one of your posts.

I hope this has been helpful!

Laz

Rene,

Good material in regards to GRE over IPSec. What does this command accomplish when dealing with GRE? Does this allow more bandwidth through the GRE tunnel?

Detail:

interface Tunnel40
bandwidth 102400

**show int tunnel40**
Tunnel40 is up, line protocol is up
  Hardware is Tunnel
  MTU 17886 bytes, BW 102400 Kbit/sec, DLY 50000 usec,

Hi Darryl,

The bandwidth command doesn’t change the actual bandwidth. It’s only used for routing protocols like OSPF or EIGRP that use the bandwidth for their metric calculation.

Rene

Hi Rene,

in this setup, if the remote sites are having dynamic public IPs, what will GRE tunnel config look like on the Hub router? I remember I’ve read it somehwere in your forums but I can’t seem to find it. Please can you advise.

Thanks.
Zeeshan

Hello Zeeshan

I think the lesson you are looking for is the IPSec VTI Virtual Tunnel Interface. This provides you with a method of creating an IPSec tunnel without needing to know the public IP address of one end of the link. However, one of the two ends must use a static IP address for it to function.

DMVPN is another option, which provides a hub and spoke topology and uses mGRE to achieve this. Only the hub requires a static IP while the spokes can all have dynamic IPs.

I hope this has been helpful!

Laz

Hello Lazaros,

thanks for you response, will the VTI option work on GRE tunnels also ?

regards,
Zeeshan

Hello Zeeshan

The VTI feature is considered an alternative to GRE, and cannot be used together. The following excerpt from this Cisco Documentation explains this quite well:

The use of IPsec VTIs both greatly simplifies the configuration process when you need to provide protection for remote access and provides a simpler alternative to using generic routing encapsulation (GRE) or Layer 2 Tunneling Protocol (L2TP) tunnels for encapsulation and crypto maps with IPsec. A major benefit associated with IPsec VTIs is that the configuration does not require a static mapping of IPsec sessions to a physical interface. The IPsec tunnel endpoint is associated with an actual (virtual) interface. Because there is a routable interface at the tunnel endpoint, many common interface capabilities can be applied to the IPsec tunnel.

I hope this has been helpful!

Laz

lazaros

I am sure you are aware of ZPA - ZSCALAR Private Access - which abstracts out the entire networking / tunneling and allows customers easily work at the Software level by eliminating Firewall Rules and Access Lists .

They claim to be using Tunnels / Overlay Network on top of the Public Internet to achieve this . Can you throw some inner details what tunneling concepts ZPA is using Internally and how this whole networking Jargon and ACL , Firewalls policies is eliminated ?

https://www.zscaler.com/products/zscaler-private-access

Hello Surendra

Briefly looking over their datasheets, my understanding is that ZPA acts as a centralized cloud-based hub that establishes secure connections to users, enterprise networks, and to online applications. In other words, it works as a “middle man” between the user and the application ensuring the security of all connections. The concept makes sense in that you don’t have to establish a secure connection to each of the services you use. You can consolidate all of the security features into the single ZPA provider for all users and all remote applications.

So ZPA essentially sells secure connections to remote applications using a cloud-based infrastructure. They don’t specify detailed methods by which they achieve this, but it is likely they use VPN technology such as OpenVPN. They abstract this as you correctly stated, so you don’t have to deal directly with VPNs and their configurations. Their software does everything for you.

Even though they seem to be saying that ACLs, firewall policies, VPN configurations are thrown out the window and are not needed, in actuality, they are simply taking these concepts and automating them internally to their software and cloud infrastructure. This terminology they are using is more of a marketing ploy rather than an accurate technological description.

The result is however that you as a customer don’t need to deal with all of that. However, this translates into the question “what level of trust do you have in this company to truly provide the level of security you demand?” If you’re a network engineer, you may prefer to knofigure it yourself and know the details of what is going on. But that is a decision that must be made by each individual case.

I hope this has been helpful!

Laz