Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
C
C
Cyril2017-05-17 23:04:07
Mikrotik
Cyril, 2017-05-17 23:04:07

How is IPSec over GRE or GRE over IPSec correct?

There was a need to create an IPSec + GRE tunnel between CISCO and Mikrotik, where CISCO is the central office, and Mikrotik is all branches, of which there are N number.
I read on the Internet that the "IPSec over GRE" principle allows encrypted IPSec data to be transmitted in an unencrypted GRE tunnel, and "GRE over IPSec" allows GRE data to be encapsulated with ESP or AH headers (in fact, unencrypted GRE in encrypted IPSec).
Question...
Under which of these two configurations, the subnets of all branches will be able to see each other? For example, let the central office have a subnet 10.10.10.0/24 , and two branches A and B subnets 192.168.1.0/24 and 192.168.2.0/24respectively. In which of the two configurations above would these two subnets (A and B) be able to see each other and the central office subnet?
As far as I know, "pure" IPSec cannot be routed. That is, NAT and firewall rules do not apply to IPSec packets.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
Alexander Romanov, 2017-05-18
@moneron89

Driving in an IPSec secret when setting up a GRE tunnel just gives GRE over IPsec. I think this is a more correct approach, because the provider does not need to know what tunnels we are building (although, who needs us)). With this approach, pure ESP flies. With any of the configurations you describe, the networks will see each other with properly configured routing. I consider IPsec with an interface much more convenient and understandable than IPsec in tunnel mode.

Report
D
Dmitry Shitskov, 2017-05-18
@Zarom

I see a lot of incorrect answers here. Just the right advice from Igorjan .
Yes, you need exactly GRE over IPSec, the only way you will have a free hand in terms of routing through tunnels. And a pledge for the future - today you are on static routing, and tomorrow you may need dynamics so that branches can see each other, fault tolerance or something else ... It is better to be ready for any expansion than to urgently drop everything and reconfigure again all tunnels.

Report
D
Dmitry, 2017-05-17
@Tabletko

If I remember correctly, gre requires a white ip on each side and doesn't go through nat. Better make pure IPsec.

Similar questions
S
SquareWheel2020-10-27 13:58:02
Is it possible to separate outgoing traffic in Mikrotik based on the source interface? 1Reply
M
MishaHD2016-08-15 11:52:01
Several white ip on mikrotik. Is there an alternative to labeling packages? 3Reply
A
Alexey Kozeev2019-01-17 11:48:20
How do I set up routing between two LANs on a VPN connection? 1Reply
A
Alexander Matkovsky2014-07-30 10:59:12
How to handle Exception in Microtrik scripts? 1Reply
O
omikron242019-01-18 13:40:42
How to calculate PPS (packets per second) based on the estimated number of users? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question