Enterasys Networks X-PeditionTM manual GRE over IPSec, Tunnel Mode Processing

Ensuring VPN Security with IPSec/IKE/GRE

Figure 14-2 Tunnel Mode Processing

As shown above, AH authenticates the entire packet transmitted on the network whereas ESP only covers a portion of the packet transmitted (the higher layer data in transport mode and the entire original packet in tunnel mode). The ramifications of this difference in the scope between ESP and AH are significant.

Using IPSec along with Network Address Translation (NAT) might be problematic because while AH is used to ensure that the packet header is not changed during transmission, NAT does the opposite - it changes the IP or layer 4 (UDP or TCP) header. AH cannot be used when NAT must be crossed to reach the other end of the tunnel. When only ESP is used, the XSR automatically adds the UDP header which is required by NAT to operate properly when an unroutable address (NAT traffic) is detected between tunnel endpoints.

Arguably the most vital component of IPSec/IKE is the establishment of SAs and key management. Although these tasks can be done manually, the XSR deploys IPSec through a scalable, automated SA/key management scheme known as the Internet Key Exchange (IKE), defined in RFC-2409. This algorithm is the default automated key management, dynamic SA- creating protocol for IPSec.

Refer to Table A-4on page A-1for the number of ISAKMP and IPSec SAs supported, by installed memory, on the XSR.

GRE over IPSec

As an alternative to IPSec, the XSR supports the Generic Routing Encapsulation protocol (GRE), which encapsulates arbitrary protocols in other protocols such as IP, as defined by RFC-1701. GRE can tunnel these payloads between two routers over a network path that does not natively support the payload protocol. For example, Appletalk packets can be tunneled in IP over the Internet.

GRE tunnel endpoints are represented as point-to-point (P2P) interfaces to the routing protocols. End-to-end traffic and routing protocol traffic flows through these interfaces as through physical network interfaces. The GRE tunnel encapsulates entire frames so it can carry multicast packets across the tunnel between two routers. This supports routing protocols such as OSPF.

GRE does not provide security but can be encrypted and authenticated by the XSR’s IPSec subsystem. GRE packets are transmitted using IPSec transport mode. GRE with IPSec provides multiprotocol and multicast tunneling with strong security. Because GRE lacks a control over tunnel establishment, both sides of the tunnel must have known IP addresses, not dynamically assigned. Refer to “GRE Tunnel for OSPF” on page 14-40for an example.

Note: GRE tunnel interfaces support P2P links only with other routers.

14-4 Configuring the Virtual Private Network