IPsec : To tunnel or not to tunnel ?

From: Denis Theodossiou (denis.theodossiou@btinternet.com)
Date: Fri May 02 2003 - 16:53:20 GMT-3

• Next message: Jason Cash: "RE: peer neighbor-route command"
• Previous message: Jeongwoo Park: "RE: Reflexive ACL - what am I missing? Can't ping!!"
• Next in thread: Fabrice Bobes: "RE: IPsec : To tunnel or not to tunnel ?"
• Maybe reply: Fabrice Bobes: "RE: IPsec : To tunnel or not to tunnel ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I've been trying to understand IPsec and I am now confused. Let me first
tell you what I understand :

Crypto maps are applied on an interface and based on an ACL, outbound
traffic matching this ACL is "diverted" from the interface to an IPsec
"tunnel" beween the router and the IPsec peer. This traffic then gets
encrypted etc. based on the transform sets applied to the crypto map and
the IPsec negotiation.This means that the IPsec traffic gets
encapsulated in packets having IP source address the IP address of the
interface where the traffic was picked up from and IP destination
address the "IPsec peer" address. Just like if it was a GRE tunnel. At
the destination, the traffic must arrive on an interface having another
crypto map applied, with a mirror ACL, and then it gets decrypted,
deencapsulated and sent to continue its peaceful IP path to its real
destination.

On a couple of sample labs I did, the solution created first a normal
GRE tunnel (interface tunnelX), and then applied the crypto map on that
interface. This confuses me a bit :
(1) Since the IPsec is in fact a tunnel, why would you want to create
another tunnel and have the traffic be tunnelled twice ?
(2) Is the IPsec peer the same IP address as the tunnel destination IP
address ? Some configs had the remote Tunnel interface IPs as IPsec
peers and some the tunnel destination IP (ie. The remote "physical"
address). What is the difference between the two configs ?
(3) Just so that I understand it correctly, must the "crypto isakmp key
address" be the same as the "set peer" address inside the crypto map
when using pre-shared IKE keys ?
(4) Is it possible to send the IPsec traffic out another interface than
the one it was "picked up" from ? Ie. Apply the crypto map on Eth0 to
catch traffic that would normally go out Eth0, but send this encrypted
traffic out Eth1 ?

Thank you for your thoughts,
Denis

• Next message: Jason Cash: "RE: peer neighbor-route command"
• Previous message: Jeongwoo Park: "RE: Reflexive ACL - what am I missing? Can't ping!!"
• Next in thread: Fabrice Bobes: "RE: IPsec : To tunnel or not to tunnel ?"
• Maybe reply: Fabrice Bobes: "RE: IPsec : To tunnel or not to tunnel ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:36 GMT-3