[Openswan Users] GRE over IPSec - Cisco endpoint

Erich Titl erich.titl at think.ch
Mon Dec 21 03:26:52 EST 2009



Tom Stockton wrote:
> On Fri, Dec 18, 2009 at 3:41 PM, Erich Titl <erich.titl at think.ch> wrote:
>>> I haven't attempted to do any GRE yet but I don't understand how I
>>> would do it as part of the IPSec connection.  I can understand making
>>> a GRE connection after the IPSec tunnel was setup but in this case the
>>> IPSec and GRE endpoints are the same IP addresses so I don't
>>> understand how I could route the GRE connection through the IPSec
>>> tunnel without breaking IPSec ?
>> AFAIK a GRE endpoint is just another logical endpoint in your network.
>> It can have any address you want to give it, completely apart from the
>> IPSEC tunnel transporting the GRE tunnel.
> 
> This was my understanding also, I can't understand how it is possible
> to create an IPSec connection to an endpoint and then route a GRE
> connection to the same endpoint through the IPSec tunnel - surely this
> would break the original IPSec connection ?

GRE over IPSEC would IMHO need another pair of endpoints.

> 
> The engineer managing the other end informs me though that the GRE
> connection is made as part of the IPSec tunnel (phase 2 to be exact)
> and that this is how it works ..... It does work from a cisco device
> (we already do it) but I need to figure out how to do the same in
> Linux.

AFAIK GRE is _not_ part of the IPSEC standard, so I _believe_ it is not
handled in and by any IPSEC phase.

I found this
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml
on the net.

cheers

Erich

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3409 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20091221/50537508/attachment.bin 


More information about the Users mailing list