Cisco GRE and IPSec - GRE Over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode
Click here to load reader
description
Transcript of Cisco GRE and IPSec - GRE Over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode
-
CISCO GRE AND IPSEC - GRE OVER IPSEC - SELECTING ANDCONFIGURING GRE IPSEC TUNNEL OR TRANSPORT MODEWRITTEN BY ADMINISTRATOR. POSTED IN CISCO ROUTERS - CONFIGURING CISCO ROUTERS (/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCO-ROUTERS.HTML)
GRE Tunnels are very common amongst VPN implementations thanks to their simplicity and ease of configuration. With broadcasting andmulticasting support, as opposed to pure IPSec VPNs, they tend to be the number one engineers' choice, especially when routing protocolsare used amongst sites.
The problem with GRE is that it is an encapsulation protocol, which means that while it does a terrific job providing connectivity betweensites, it does a terrible job encrypting the data being transferred between them. GRE is stateless, offering no flow control mechanisms (thinkof UDP). This is where the IPSec protocol comes into the picture.
IPSecs objective is to provide security services for IP packets such as encrypting sensitive data, authentication, protection against replayand data confidentiality. IPSec is extensively covered in our IPSec protocol (/networking-topics/protocols/127-ip-security-protocol.html)article.
IPSec can be used in conjunction with GRE to provide top-notch security encryption for our data, thereby providing a complete secure andflexible VPN solution. IPSec can operate in two different modes, Tunnel mode and Transport mode. Both of these modes are coveredextensively in our Understanding VPN IPSec Tunnel Mode and IPSec Transport Mode (/networking-topics/protocols/870-ipsec-modes.html)article. Additionally, Cisco GRE Tunnel configuration is covered in our Configuring Cisco Point-to-Point GRE Tunnels (/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html). We highly recommend reading these articles before proceeding as it is aprerequisite for understanding the information covered here.
As with IPSec, when configuring GRE with IPSec there are two modes in which GRE IPSec can be configured, GRE IPSec Tunnel modeand GRE IPSec Transport mode.
This article examines the difference between GRE IPSec Tunnel and GRE IPSec Transport mode, and explains the packet structuredifferences along with the advantages and disadvantages of each mode.
GRE IPSEC TUNNEL MODE
(http://www.firewall.cx)
THURSDAY, 16 APRIL 2015Home (/) Cisco (/cisco-technical-knowledgebase.html)Cisco Routers (/cisco-technical-knowledgebase/cisco-routers.html)Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GRE IPSec Tunnel or Transport Mode
FIREWALL.CX TEAM(/MEET-THE-TEAM.HTML)
NEWS(/NEWS.HTML)
ALTERNATIVE MENU(/SITE-MAP.HTML)
RECOMMENDED SITES(/RECOMMENDED-SITES.HTML)
CONTACT US - FEEDBACK(/CONTACT-US.HTML)
HOT DOWNLOADS
(http://clixtrac.com/goto/?99230)WEB APPLICATIONSECURITY SCANNER(HTTP://CLIXTRAC.COM
(/component/banners/click/2.html)
Rating 4.68 (19 Votes)
TweetShare 41 people like this. Sign Up tosee what your friends like.
LikeLike ShareShare
Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR... http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...
1 of 6 4/16/2015 10:52 AM
-
With GRE IPSec tunnel mode, the whole GRE packet (which includes the original IP header packet), is encapsulated, encrypted andprotected inside an IPSec packet. GRE over IPSec Tunnel mode provides additional security because no part of the GRE tunnel isexposed, however, there is a significant overhead added to the packet. This additional overhead decreases the usable free space for ourpayload (Original IP packet), that means possibly more fragmentation will occur when transmitting data over a GRE IPSec Tunnel VPN.
IPSec Tunnel mode is the default configuration option for both GRE and non-GRE IPSec VPNs. When configuring the IPSec transform set,no other configuration commands are required to enable tunnel mode:
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
CALCULATING GRE IPSEC TUNNEL MODE OVERHEAD
Calculating the overhead will help us understand how much additional space GRE over IPSec in Tunnel mode requires and our effectiveusable space.
The packet structure below shows an example of a GRE over IPSec in Tunnel mode:
Two important points to keep in mind when calculating the overhead:
Depending on the encryption algorithm used in the crypto transform set, the Initialization Vector (IV) shown could be 8 or 16 byteslong. For example DES or 3DES introduces an 8-byte IV field, where as AES introduces a 16-byte IV field. In our example, we areusing 3DES encryption, therefore producing a 8-byte IV field.
The ESP Trailer will usually vary in size. Its job is to ensure that the Pad Length, Next Header fields (both 1-byte long andcontained within the ESP Trailer) & ESP Auth.Trailer are aligned on a 4-byte boundary. This means the total number of bytes,when adding the three fields together, must be a multiple of 4.
Following is the calculated overhead:
ESP Overhead: 20 (IP Hdr) + 8 (ESP Hdr) + 8 (IV) + 4 (ESP Trailer) + 12 (ESP Auth) = 52 Bytes
Note: ESP Trailer has been calculated as 4 bytes as per above note.
GRE Overhead: 20 (GRE IP Hdr) + 4 (GRE) = 24 Bytes
Total Overhead: 52 + 24 = 76 Bytes
GRE IPSEC TRANSPORT MODE
With GRE IPSec transport mode, the GRE packet is encapsulated and encrypted inside the IPSec packet, however, the GRE IP Header isplaced at the front. This effectively exposes the GRE IP Header as it is not encrypted the same way it is in Tunnel mode.
IPSec Transport mode is not used by default configuration and must be configured using the following command under the IPSec transformset:
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmacR1(cfg-crypto-trans)# mode transport
GRE IPSec transport mode does have a few implementation restrictions. It is not possible to use GRE IPSec transport mode if the cryptotunnel transits a device using Network Address Translation (/cisco-technical-knowledgebase/cisco-routers/260-cisco-router-nat-overload.html) (NAT) or Port Address Translation (PAT). In such cases, Tunnel mode must be used.
Finally, if the GRE tunnel endpoints and Crypto tunnel endpoints are different, GRE IPSec transport mode cannot be used.
These limitations seriously restrict the use and implementation of the transport mode in a WAN network environment.
NETWORK SECURITYSCANNER
(http://clixtrac.com/goto/?99232)
HYPER-V BACKUP
(http://clixtrac.com/goto/?181631)
RECOMMENDEDDOWNLOADS
Web Security(http://clixtrac.com/goto/?99233)Free Hyper-V Backup(http://clixtrac.com/goto/?163765)Server AntiSpam(http://clixtrac.com/goto/?99234)Network Scanner(http://clixtrac.com/goto/?99235)IDS Security Manager(http://clixtrac.com/goto/?99236)Web-Proxy Monitor(http://clixtrac.com/goto/?99237)Network Analyzer - Sniffer(http://clixtrac.com/goto/?195370)Cisco VPN Client(/downloads/cisco-tools-a-applications.html)Network Fax Server(http://clixtrac.com/goto/?100607)Forensic Security Analysis(http://clixtrac.com/goto/?195375)Web Vulnerability Scanner(http://clixtrac.com/goto/?191594)
WEBSITE SCANNER
Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR... http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...
2 of 6 4/16/2015 10:52 AM
-
CALCULATING GRE IPSEC TRANSPORT MODE OVERHEAD
Calculating the overhead will help us understand how much space GRE over IPSec in Transport mode uses and our effective usablespace.
The packet structure below shows an example of GRE over IPSec in transport mode:
Again, two important points that must kept in mind when calculating the overhead:
Depending on the encryption algorithm used in the crypto transform set, the Initialization Vector (IV) shown could be 8 or 16 byteslong. For example DES or 3DES introduces an 8-byte IV field, where as AES introduces a 16-byte IV field. In our example, we areusing 3DES encryption, therefore producing a 8-byte IV field.
The ESP Trailer will usually vary in size. Its job is to ensure that the Pad Length, Next Header fields (both 1-byte long andcontained within the ESP Trailer) & ESP Auth.Trailer are aligned on a 4-byte boundary. This means the total number of bytes,when adding the three fields together, must be a multiple of 4.
Following is the calculated overhead:
ESP Overhead: 20 (IP Hrd) + 8 (ESP Hdr) + 8 (IV) + 4 (ESP Trailer) + 12 (ESP Auth) = 52 Bytes
Note: ESP Trailer has been calculated as 4 bytes as per above note.
GRE Overhead: 4 (GRE) = 4 Bytes
Total Overhead: 52 + 4 = 56 Bytes
It is evident that GRE IPSec Transport mode saves approximately 20 bytes per packet overhead. This might save a moderate amount ofbandwidth on a WAN link, however, there is no significant increase in CPU performance by using this mode.
CONCLUSION
When comparing GRE over IPSec tunnel and GRE over IPSec transport mode, there are significant differences that cannot be ignored.
If the GRE tunnels and crypto endpoints are not the same (IP address wise), transport mode in definitely not an option.
If packets traverse a device (router) where NAT or PAT is used then again, transport mode cannot be used.
On the other hand, tunnel mode seems to pay-off its 20-byte additional overhead by being flexible enough to be used in any type of WANenvironment and offering increased protection by encrypting the GRE IP Header inside the ESP packet.
Taking in consideration the small additional CPU load the tunnel mode produces and advantages it offers, we dont believe its acoincidence Cisco has selected this mode in IPSecs default configuration.
Back to Cisco Routers Section (/cisco-technical-knowledgebase/cisco-routers.html)
(http://clixtrac.com/goto/?191960)
NETWORK ANALYZER
(http://clixtrac.com/goto/?195373)
(http://feeds.feedburner.com/firewallcx)
(http://twitter.com/firewallcx)
(https://www.facebook.com/firewallcx)
(http://www.linkedin.com/groups?home=&
gid=1037867)CONNECT:
FACEBOOK - LIKE US!
CISCO PRESS REVIEWPARTNER
(/site-news/316-firewall-ciscopress.html)
Notify me of new articles
Subscribe
CISCO MENU
CISCO ROUTERS
(/cisco-technical-knowledgebase/cisco-routers.html)CISCO SWITCHES
(/cisco-technical-knowledgebase/cisco-switches.html)CISCO VOIP/CCME -CALLMANAGER
(/cisco-technical-knowledgebase/cisco-voice.html)CISCO FIREWALLS
(/cisco-technical-knowledgebase/cisco-firewalls.html)CISCO WIRELESS
(/cisco-technical-knowledgebase/cisco-
Firewall.cx3,608LikeLike
Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR... http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...
3 of 6 4/16/2015 10:52 AM
-
Add a comment
View 3 more
Facebook social plugin
12 comments
Marrie Muts Utrecht University
gre over ipsec offers a terrible throughputperformance on most platforms due to lack ofgre processing acceleration.. , so the nextarticle is about vti approach?
Reply Like 14 May 2012 at 08:331
Chris Partsenidis Top
commenter Founder, Editor-in-Chief
at Firewall.cx
Marrie, I've actually benchmarkedgre over ipsec with crypto ipsectunnels and to be honest, thethroughput on a DSL wan line wasthe same. Figures might bedifferent on a T1 or greaterconnection and there might be abig impact as you say. VTI is onthe list, however mGRE andDMVPN is next :) Hope you enjoyand share!
Reply Like 14 May 2012 at
11:54
2
Khensani Gregory Baloyi
Great article!
Reply Like 30 October 2012 at 08:47
Mohan Raj GISOCC Infrastructure Engineer at
Valeo
Very good article, really useful information.
Reply Like 19 December 2012 at 09:291
Elias Mulenga
great stuff
Reply Like 1 February 2013 at 02:093
Abuty Mofya Works at
Self-employed
good staff
Reply Like 1 February 2013 at 05:53
Obinabo Ken Northumbria University
Wonderful article
Reply Like 22 August 2013 at 04:131
ARTICLES TO READ NEXT:
CISCO ROUTER PPP MULTILINKSETUP AND CONFIGURATION (/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCO-ROUTERS/822-CISCO-ROUTER-PPP-MULTILINK.HTML)
HOW TO FIX CISCO CONFIGURATIONPROFESSIONAL (CCP) DISPL...(/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCO-ROUTERS/980-CISCO-CONFIGURATION-PROFESSIONAL-DISPLAY-PROBLEM.HTML)
CONFIGURING POINT-TO-POINT GREVPN TUNNELS - UNPROTECTE...(/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCO-ROUTERS/868-CISCO-ROUTER-GRE-IPSEC.HTML)
wireless.html)CISCO SERVICES &TECHNOLOGIES
(/cisco-technical-knowledgebase/cisco-services-tech.html)CISCO AUTHORS & CCIEINTERVIEWS
(/cisco-technical-knowledgebase/ccie-experts.html)
POPULAR CISCOARTICLES
DMVPN Configuration (/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-dmvpn-configuration.html)Cisco IP SLA (/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html)VLAN Security (/cisco-technical-knowledgebase/cisco-switches/818-cisco-switches-vlan-security.html)4507R-E Installation (/cisco-technical-knowledgebase/cisco-switches/948-cisco-switches-4507re-ws-x45-sup7l-e-installation.html)CallManager Express Intro(/cisco-technical-knowledgebase/cisco-voice/371-cisco-ccme-part-1.html)Secure CME - SRTP & TLS(/cisco-technical-knowledgebase/cisco-voice/956-cisco-voice-cme-secure-voip.html)Cisco Password Crack (/cisco-technical-knowledgebase/cisco-routers/358-cisco-type7-password-crack.html)Site-to-Site VPN (/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html)
FREE CISCO LABPARTNER
(http://clixtrac.com/goto/?99238)
POPULAR LINUXARTICLES
Linux Init & RunLevels (/linux-knowledgebase-tutorials/linux-administration/845-linux-administration-runlevels.html)Linux Groups & Users (/linux-
Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR... http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...
4 of 6 4/16/2015 10:52 AM
-
knowledgebase-tutorials/linux-administration/842-linux-groups-user-accounts.html)Linux Performance Monitoring(/linux-knowledgebase-tutorials/linux-administration/837-linux-system-resource-monitoring.html)Linux Vim Editor (/linux-knowledgebase-tutorials/linux-administration/836-linux-vi.html)Linux Samba (/linux-knowledgebase-tutorials/system-and-network-services/848-linux-services-samba.html)Linux DHCP Server (/linux-knowledgebase-tutorials/system-and-network-services/849-linux-services-dhcp-server.html)Linux Bind DNS (/general-topics-reviews/linuxunix-related/829-linux-bind-introduction.html)Linux File & FolderPermissions (/general-topics-reviews/linuxunix-related/introduction-to-linux/299-linux-file-folder-permissions.html)Linux OpenMosix (/general-topics-reviews/linuxunix-related/openmosix-linux-supercomputer.html)Linux Network Config (/linux-knowledgebase-tutorials/linux-administration/851-linux-services-tcpip.html)
BANDWIDTHMONITORING
(http://clixtrac.com/goto/?99758)
RSS SUBSCRIPTION
Subscribe to Firewall.cx RSSFeed by Email(http://feedburner.google.com/fb/a/mailverify?uri=firewallcx&loc=en_US)
Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR... http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...
5 of 6 4/16/2015 10:52 AM
-
CCENT/CCNAROUTER BASICS (/CISCO-TECHNICAL-KNOWLEDGEBASE/CISCO-ROUTERS/250-CISCO-ROUTER-BASICS.HTML)SUBNETTINGOSI MODELIP PROTOCOL
CISCO ROUTERSSSL WEBVPNSECURING ROUTERSPOLICY BASED ROUTINGROUTER ON-A-STICK
VPN SECURITYUNDERSTAND DMVPNGRE/IPSECCONFIGURATIONSITE-TO-SITE IPSEC VPNIPSEC MODES
CISCO HELPVPN CLIENT WINDOWS 8VPN CLIENT WINDOWS 7CCP DISPLAY PROBLEMCISCO SUPPORT APP.
WINDOWS 2012NEW FEATURESLICENSINGHYPER-V / VDIINSTALL HYPER-V
LINUXFILE PERMISSIONSWEBMIN
GROUPS - USERSSAMBA SETUP
FIREWALL.CX TEAM(/MEET-THE-TEAM.HTML)
NEWS(/NEWS.HTML)
ALTERNATIVE MENU(/SITE-MAP.HTML)
RECOMMENDED SITES(/RECOMMENDED-SITES.HTML)
CONTACT US - FEEDBACK(/CONTACT-US.HTML)
Copyright 2000-2015 Firewall.cx - All Rights ReservedInformation and images contained on this site is copyrighted material.
Firewall.cx - Cisco Networking, VPN - IPSec, Security, Cisco Switching, Cisco Routers, Cisco VoIP- CallManager Express & UC500, Windows Server, Virtualization, Hyper-V, Web Security, Linux Administration
Cisco GRE and IPSec - GRE over IPSec - Selecting and Configuring GR... http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/872-...
6 of 6 4/16/2015 10:52 AM