IPsec Crypto MAP VS IPsec Tunnel Protection Demystified


Many discussions and many questions about GRE over IPSec Crypto map versus Tunnel Protection (IPsec Profile). The old method versus the new method.

Cisco introduced the concept of tunnel protection in the OLD course SIMOS for VPN which is now replaced by the SVPN course.

In the old method, an extended ACL must be defined to match which traffic will be encrypted, since we GRE as the encapsulation protocol for all IP packet, traditionally we used an ACL (100 in our scenario) to match the GRE packet sourced from 1.1.1.1 in our case and destined to 2.2.2.2 (in our scenario) because all traffic that goes through the tunnel will encapsulated with the Public IP header defined in the tunnel source and tunnel destination command under the tunnel interface.

Then after setting this ACL, we need the popular crypto map for phase 2 IPsec, under the crypto map, we put in the past mainly the ACL using the set address 100 command and set peer 2.2.2.2 command, and the transform set using the set transform-set command, finally we apply the crypto map on the physical interface.

Now, why moving to Tunnel Protection or IPsec Profile?, simply because when we use IPsec with GRE (GRE over IPsec), there are many DUPLICATION CONFIGURATION.

Now where is this duplication? in the figure notice the following:

1-The set peer 2.2.2.2 command under the crypto map has the same meaning as the tunnel destination 2.2.2.2 command under the tunnel interface.

2-The second duplication is for the ACL, previously using the old method crypto ACL, we need to identify the GRE packet and associate this ACL to crypto map using the match address 100, the ACL + match address 100 have the same meaning as the Tunnel source 1.1.1.1 and Tunnel destination 2.2.2.2 commands.

This is why Tunnel Protection or commonly known IPsec Profile comes for rescue as a new method and replaces the old method crypto map.

you create an IPsec Profile, you associate the transform-net then you apply the IPsec Profile on the Tunnel interface and BASTA. There are is no need of ACL or PEER. all these informations are already there in the tunnel interface.

Categories: Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: