Cisco Systems CL-28826-01 Advantages of IPsec Tunneling with GRE, How Does Security Manager Implement GRE?, Prerequisites for Successful Configuration of GRE

26-3

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter2 6 GRE and DM VPNs

GRE and Dynamic GRE VPNs

•Understanding GRE Configuration for Dynamically Addressed Spokes, page 26-5

Advantages of IPsec Tunneling with GRE

The main advantages of IPsec tunneling with GRE are the following:

•GRE uses a routing protocol by which every IPsec peer knows the status of every other peer at all

times.

•GRE provides higher resiliency than IKE keepalive.

•Spoke-to-spoke connectivity is supported when you use GRE.

•GRE supports multicast and broadcast transmissions.

Note GRE does not support the use of dynamic cryptographic tunnels.

How Does Security Manager Implement GRE?

Security Manager implements an additional Interior Gateway Protocol (IGP) solution for GRE. An IGP

refers to a group of devices that receive routing updates from one another by a routing protocol, EIGRP,

OSPF, or RIP. Each “routing group” is identified by a logical number. For general routing purposes, the

interfaces on the routers in your networks belong to an IGP. Security Manager adds an additional IGP

that is dedicated for IPsec and GRE-secured communication. This additional IGP is the secured IGP. The

existing IGP (unsecured IGP), is used for routing traffic that does not require encryption.

For a GRE tunnel to be established, Security Manager configures a virtual interface on each device.

These virtual interfaces are the endpoints of the GRE tunnel. Each virtual interface is unique. The GRE

tunnel interface has an IP address (inside tunnel IP address) which is taken from an interface that

Security Manager creates. The GRE tunnel points to the source and destination IP addresses of either the

physical or loopback interfaces on each device. The GRE virtual interfaces belong to the secured IGP,

as do the inside interfaces. Routing updates within the secured IGP are GRE encapsulated and IPsec is

applied. A flow whose destination is a secured interface (according to the routing updates of the secured

IGP) is directed through the GRE interface where it is GRE encapsulated and then evaluated against the

crypto ACL. If it matches the crypto ACL, it is routed through the GRE and VPN tunnels.

Prerequisites for Successful Configuration of GRE

Consider the following prerequisites before using GRE in your network:

•You must identify the inside interfaces on your devices—the physical interfaces on the device that

connect the device with its internal subnets and networks.

•You must select a routing protocol (known as an IGP) or a static route, whenever you enable GRE.

Security Manager supports the EIGRP, OSPF, and RIPv2 dynamic routing protocols, and GRE static

routes.

–

EIGRP—Enhanced Interior Gateway Routing Protocol enables the exchange of routing

information within an autonomous system and addresses some of the more difficult issues

associated with routing in large, heterogeneous networks. Compared to other protocols, EIGRP

provides superior convergence properties and operating efficiency, and combines the

advantages of several different protocols. For more information, see EIGRP Routing on Cisco

IOS Routers, page 64-8.