OSI and IPSEC and Gre

Guys which OSI layer IPSEC AND GRE sits in??? which layer they belong to.....

Hi,
GRE adds another layer3 to the existing layer3 packet.
IPSec transport mode adds a layer that sits between layer3 and layer4, to encrypt data within the layer4 PDU.
IPSec tunnel mode encapsulates existing layer3 packet in a new layer for encryption, then adds a new layer3.
So generally speaking, IPSec and GRE are said to be layer3 protocols.
Cheers:
Istvan

Similar Messages

  • Overlapping Networks with Tunnel GRE/IPsec and NAT

    Has anyone experience with NATing on a GRE tunnel interface? I need to NAT between two private networks because they are overlapping. I tried to NAT directly on the tunnel interface.
    e.g.
    Ethernet 0/0
    ip nat inside
    Tunnel0 (GRE with CryptoMap)
    ip nat outside
    However I didn't succeed this way. What's the best way to achive my goal?

    Thanks. I already checked this paper. The problem is that it only talks about IPsec and not about GRE/Ipsec and nating on a Tunnel interface.
    However I made some tests in the lab and it worked fine. So I went back to the customer-site and I had to reboot the small 836 to get it working.
    What I learnedis : "ip nat outside" on a tunnel interface on a Cisco 836 is no problem. This is good news if you have to add partners companies with GRE/IPsec and they don't have IP ranges you like, so you just NAT them and give them IP addresses of your choice.

  • ZBF self zone and IPSec/L2TP dialin

    Hi,
    I have a router that has a IPSec / L2TP dial in VPN and uses zbf for firewalling, including the self zone.
    The same router also has VTI gre/ipsec tunnels to other sites.
    For the static VTI GRE/IPsec tunnel, I had to allow isakmp and esp to/from the routers, but I didn't have to allow GRE. It appears that since the GRE traffic is 'encapsulated' within IP sec and belongs to a SA, the GRE to/from the router is 'passed' without any more intervention. (which is fine by me, because I only want IPSec encapsulated gre traffic and _not_ 'raw' one).
    Now for the L2TP VPN that's not the case. I have to allow connection from my WAN zone to self on the L2TP UDP port ... and I find it annoying because I can't differentiate between L2TP traffic that _was_ IPSec protected and L2TP traffic that wasn't IPSec protected (and so someone could start a L2TP session without setuping a IPSec protection).
    So in ZBF is there a way to allow L2TP traffic only when it was encapsulated in IPSec ?
    Cheers,
        Sylvain

    For anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of
    lcp:interface-config=zone security <zonename>
    I also had to add:
    aaa policy interface-config allow-subinterface
    Once I did this it worked a treat.

  • Samsung Tab 10.1 WiFi Balck 2014 Edition - Anyconnect and IPSec don't work

    I have an employee with a Samsung Tab 10.1 2014  black wifi only edition tablet. She has tried to use both an IPsec connection and the Anyconnect for ICS+ (and the Anyconnect normal Android client and also the OpenConnect open source alternative to Anyconnect).
    The problematic behavior is the same on any VPN connection. The vpn client connects and then no traffic makes use of it. I can see the VPN session on the firewall and it shows no decrypted/decapsulated packets. Additionally, the tablet loses all internet access once the VPN connects (whether it is IPsec or Anyconnect) even though the VPN is set to use split tunneling (and I can see in the connection details that it is only set to tunnel a couple of /24 networks in the 10.x.x.x range).
    I have at least 20 other users that use the same VPN session groups with a variety of Windows, iOS and Android devices and so far, this Samsung tablet is the only problem.
    I have tried different accounts on this tablet and I have tried this employee's account on other devices and the problem remains only on the tablet. Her account works great logging in on my Samsung Galaxy S4 using both IPsec and Anyconnect client software. My account shows the same problem as her account when used on her tablet.
    I have applied all available updates on her tablet, it is currently running Android 4.4.2 and there are no updates available from Samsung for it.
    My phone is running 4.4.4 but the client app versions are the same on both devices.
    She has even exchanged the tablet for a replacement of the same model.
    Can anyone suggest any additional troubleshooting or cause for this problem?
    Basically it is as if the vpn client software works fine but the Android operating system simply ignores it except to stop all internet access.

    The warranty entitles you to complimentary phone support.
    If you bought the product in the U.S. directly from Apple (not from a reseller), you have 14 days from the date of delivery in which to exchange or return it for a refund. In other countries, the return policy may be different. If you bought from a reseller, its return policy applies.

  • ISA 2006 with IPSEC and NAT - Publishing Outlook Anywhere - TCP Checksum Dropped 0xc0040031 problem

    Hi
    I am looking to publish Outlook Anywhere, with IPSEC configured as per (http://www.microsoft.com/en-us/download/confirmation.aspx?id=23708) to lock down Outlook Anywhere to
    machines with internal certificates only.
    I have the following infrastructure setup:
    ISA 2006 SP1 - Server 2003 R2 / SP2
    -Allows UDP 4500/500 and TCP 443
    -Hosted on VMWare ESXi 5
    Test laptop - Windows 7
    External Firewall static NAT's from a public IP to ISA server and allows the following:
    UDP 4500/500
    Protocol 50/51
    IPSEC policy configured on the ISA server:
    -IP Filter List = DMZ IP of ISA server, source port any, destination port 443
    -Filter Action = Negotiate Security, Integrity Only
    -Authentication Methods = Certifciate Authority, internal enterprise CA selected
    IPSEC policy configured on the Windows 7 Test Laptop:
    -IP Filter List = External (public) IP of ISA server, source port any, destination port 443
    -Filter Action = Negotiate Security, Integrity Only
    -Authentication Methods = Certifciate Authority, internal enterprise CA selected
    So far the following works:
    I have a port listener running on the ISA server to mimic Exchange (just to keep things simple to begin with).
    If I unassign the IPSEC policies, I can telnet from an external network on the test laptop successfully to the external IP of the ISA server. 
    If I assign the IPSEC policies, I cannot telnet from an external network on the test laptop to the external IP of the ISA server.  I note the following:
    -HTTPS is denied with no rule (an allow rule is present)
    -Result Code = 0xc0040031 FWX_E_BAD_TCP_CHECKSUM_DROPPED
    -The ISA log shows IKE Client and IPSEC NAT-T client traffic as successful.
    -The event log shows main mode and quick mode as successful.
    -The IPSEC monitor shows SA's for quick mode and main mode.
    If I google the error code I gather it relates to the TCP checksum being calculated by the ISA server disagreeing with the actual checksum received.  I guess this is part of AH.  I have tried the following:
    -Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the ISA server under services\IPSEC and reboot.
    -Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the Windows 7 Laptop under services\PolicyAgent and reboot.
    -Disable the following in the ISA server registry and reboot:
    RSS
    SecurityFilters
    TCPA
    TCPChimney
    -Disable Chimney Offload via Netsh command
    -Disable all Offload options on VMXNET 3 driver advanced settings and rebooting
    -Switching to an E1000 NIC and disabling all offload options and rebooting
    -Upgrading E1000 drivers from base version (2002 driver) to intels later version (2008), rebooting and disabling all offload options.
    -Run a wireshark trace - cannot see anything useful
    -Checked oackley log  - cannot see anything useful
    I still cannot get the 443 traffic to successfully connect without the FWX_E_BAD_TCP_CHECKSUM_DROPPED error and have run out of google articles.
    I would really appreciate if anyone has any suggestions?
    Many Thanks
    Steven

    Hi,
    Glad to hear that. I'll mark it as answer. Thank you.
    Best Regards,
    Joyce
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Calculating tax liabilities and report to GREs

    Hi all,
    Sorry I'v recently learnt "Oracle HRMS", however,
    How can I calculate tax liabilities and report to GREs, in oracle payroll?
    Thank You,

    Don't feel sorry for learning Oracle HRMS :)
    Depending on your legislation you are implementing the tax structure and other Statutory deduction will Vary,so you can refer the Oracle Payroll User Guide to your legislation
    Regards
    Ramesh Kumar S

  • Sourced Based VRFs and IPSEC

    Hi All,
    I have 2 questions.
    1) Does Cisco Router 7600 with SUP720 3BXL supports VRF Selection based on Source IP Address [Layer 3 VPNs]?
    2) We have various clients reaching a Router and we want to forward them to a their company's VRFs, based on their source address (Given by Radius or Statically). Now, Ideally, we want to give to the customer's H.Q. the option to connect to this router using Leased Lines (or Frame Relays) or by using IPSEC (over the internet). Is this possible? Can traffic from an access server arrive to an interface and based on the source, the user will be either forwarded to a VRF or an IPSEC?
    Regards.
    Regards.

    Hello,
    a solution to xour problem could be to have a VRF aware access server and place the customers into their respective VRF right away (the feature is called Multi-VRF aka VRF-lite). IPSec and Dialer interfaces are possible. Based on authentication you could define the VRF and by having a dot1Q trunk to the 7600 which operates as the MPLS PE.
    A second option is to have the trunk to the 7600, VLANs in different VRFs and to do PBR into different VLANs on the CE router/access server.
    Hope this helps! please rate all posts.
    Regards, Martin

  • How to verify encryption (isakmp and ipsec) on VPN

    Our customer believes the only way to verify data is being encrypted properly is to tap the fiber connections between our routers (encryptors). They are afraid that data might traverse the network that hasnt been encrypted.
    I contend that using cisco show commands such as crypto session, crypto isakmp sa, and crypto ipsec sa validate VPN is setup correctly and providing data encryption.
    Does anyone else have this scenario and any suggestions would be greatly appreciated on validating encryption.
    Thank you.
    Antonio

    Hi Antonio,
    you can use the following sh commands on asa to check the isakmp and ipsec details and encrypted networks
    sh cry isa sa det
    sh cry ipsec sa det
    sh vpn-sessiondb det l2l
    sh cry ipsec sa det peer
    please refer the following link for router and asa commands
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
    once you know the packets are getting encrypted on the device you can run a capture on the outside interface of the VPN  terminating decice and use wire shark to open the capture to do further analysis for encryption on the captured paccket.
    refer the following doc to capture the packcet on FW
    https://supportforums.cisco.com/docs/DOC-17345
    Thanks and Regards,
            ROHAN 

  • Server | communications | ike and ipsec settings

    Hi
    How important are the settings in monitor regarding Ike and ipsec? I was
    having 3rd party site to site issues and started to modify these to try
    and resolve issues. It did not seem to help and I am thinking I should
    set them back. is there a way to reset them to defaults?
    Thanks,
    Will

    oops I do know.
    Would any of these cause an issue?
    The number on the left shows current the right shows previous.
    I am also getting a lot of ike abends. Not sure if that is related.
    IKE AUTHMETHOD 0 1
    IKE PFS 1 0
    IKE lifetime 7200 300
    ipsec hash alg for pss 1 2
    ipsec encr alg for pss 2 3
    IPSec encap mode 2 1
    SA lifetime 7200 1000
    And IPSec SA 1 0
    ESP Algorithm ID 0 2
    AH Algorithm ID 0 2
    Thanks,
    Craig Johnson wrote:
    > Do you remember which ones you changed?
    >
    > Craig Johnson
    > Novell Support Connection SysOp
    > *** For a current patch list, tips, handy files and books on
    > BorderManager, go to http://www.craigjconsulting.com ***
    >
    >

  • Can a Cisco 2600 router do PPTP,L2TP, and IPSec?

    General question.

    2600 supports L2TP and PPTP with MPPE with an IP PLUS version, and IPsec with a firewall version.

  • ISA 2006 publish Exchange 2010 Outlook Anywhere with KCD/NTLM and IPSEC - Problem

    Hi
    I have setup ISA 2006 to publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation and IPSEC.
    The clients have an IPSEC policy pushed to them via GPO.  The clients are windows 7 laptops and the ISA server is server 2003, so the IPSEC connection is IKE not AuthIP.
    However, it seems that the connection will work for a while, then all of a sudden stop working with zero trace of why.  I cant get the Oakley log to work and I cant see any traffic on the ISA.
    I am wondering if I need to publish the CRL's externally?  Currently we don't, and the Outlook Anywhere uses private certificates (as the whole point of IPSEC is to validate the internal certificate, there is no point in using
    public certificates).
    I have tried using the StrongCRLCheck=0 registry key in the IPsec Policy Agent on the windows 7 machine but it doesn't seem to make a difference.
    Any advice would be appreciated.
    Steven

    Hi,
    Firstly, have you received any related error messages in ISA server or on the clients' side? Besides, as you mentioned IPsec, did you have a VPN connection?
    In addition,
    While ISA 2006 only includes a Client Access Web Publishing Wizard for both Exchange 2003 and Exchange 2007. Which Exchange version you have chosen when publishing Exchange 2010?
    Please also make sure that you have selected the
    External interface for the web listener to listen on.
    Besides, the link below would be helpful to you:
    OWA publishing using Kerberos Constrained Delegation
    method for authentication delegation
    Best regards,
    Susie

  • 881 IOS support for IPSEC and OSPF

    Is there an IOS image for the 881 that contains IPSEC feature set AND support for OSPF? I recently purchased an 881 and it came default with this system image "c880data-universalk9-mz.152-4.M4.bin", however this image does not support OSPF. I need an IOS image that supports both OSPF and IPSEC feature sets. Please advise.

    hi,
    according to cisco's FN, you might need a c880data-universalk9-mz.153-2.T1.bin.

  • DLSw and IPSEC

    Can anybody tell me if you can have a DLSw+ peer and IPSEC tunnel on the same router? We want to utilize DLSw+ on a branch router and use IPSEC across the WAN back to the corporate office?
    Has anybody configured this before?
    Any lessons learned?
    Recomendations?
    Thanks!

    Hi David,
    Yes, multiple customers have deployed this, and it has been tested and measured in specific customer proof of concept labs. The only issue that I'm aware of is that the MTU size requirements are affected by encryption, so be sure to take that into account.
    http://www.cisco.com/en/US/tech/tk331/tk336/technologies_tech_note09186a00801d3a9d.shtml
    In terms of performance, everyone's traffic is somewhat different, so it's impossible to say for sure. From what I remember of the proof of concept tests, 2600 routers did DLSw+ and software encryption just fine at DS0 rates.
    Rgds, Dan

  • CW LMS IPSec and SSH or... SNMPv3 for security?

    Two questions?? IPSec and SSH, and SCP? or SNMPv3? to protect my SNMP etc. traffic? If the answer is IPSec then how do you set up the LMS/Windows 2003 server side of the tunnel?
    Will the LMS SSH run inside of the tunnel? SCP? How big of a hit will I take on the CPU? How slow? Is DES56 being used for encryption on both? (Sorry, that's more than 2 questions) thx

    I would go for SNMPv3, it would be the easier to setup and manage. For the RME portion go for SSH, just make sure that SNMPv3 is supported on all desired applications (RME,DFM,HUM,CM etc.)
    I don't think they all support V3 yet.
    Regards
    Farrukh

  • IKE, IPSec and Sonicwall Compatibility

    I have a number of Solaris 8 servers at local and remote locations. I also have an old Skip server to encrypt traffic between the offices and selected remote servers. There is also a Sonicwall for VPN services for remote users to be able to connect to our network.
    This is my first implementation on this so I am researching.
    I would like to get rid of the skip server and use IPsec or IKE on the Solaris servers and on the Sonicwall. Then my pcs on the inside network can just use the sonicwall as the encryption gateway to the remote Solaris 8 servers. I have been reading on Solaris 8 IPsec and found that it will only work between Sparc servers. Is that correct?
    I also am a bit confused about the role IKE plays. It seems to work seamlessly with IPsec. Can you have one (IPsec) without the other.
    Also, I am planning on moving to Solaris 10 but thought I would start by getting rid of the skip server.
    Any suggestions would be appreciated.
    THank you

    ipsec uses a few things to create an encrypted connection. ike (internet key exchange) is one part. ike sets up the sa's (security association) for ipsec. rather than send you to the wiki entry, check the rfc: [http://www.ietf.org/rfc/rfc2401.txt]
    never used ipsec on sol 8. i would suspect it should work fine as long as your ipsec endpoints support the same encryption and hash that you may want to use. may be wrong on that....

Maybe you are looking for