The two engineers, as they grabbed a quick lunch, looked over the following diagram.
The 13.0.0.0/24 network is GRE. The routing in place, uses the tunnel interfaces to reach the remote networks of 1.1.1.0 and 3.3.3.0. The IPSec policy is to encrypt all GRE traffic between R1 and R3. R1 and R3 are peering with each other using loopback 11 and loopback 33 respectively.
The technicians considered the traffic pattern if a host on the 3.3.3.0/24 network sent a packet to a device on the 1.1.1.0/24 network.
Then they reviewed the configurations (below), and discussed them. Based on what they saw, they just couldn’t agree completely with each other regarding the following questions?
1. How many IP headers would be in each packet.
2. What would the source and destination address be of each IP header.
3. What order the IP headers would be in (beginning with the outside header).
4. Would the IPSec be using transport or tunnel mode.
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
So they called for the expert, YOU, to assist in these questions.
Are you up to the challenge. Answering even 1 of them will be appreciated, so take moment now, and GO FOR IT !
Post your ideas, and we will put all the people who post ideas into a virtual hat, and draw a winner to receive 100 rack tokens to our preferred lab gear provider, graded labs. Please have your posts in by
the end of the day Monday, May24, 2010 to be in the drawing.
UPDATE:
It is May 24 – 2010. Here are the answers:
How many IP headers would be in each packet?
3 headers total. 1 outside header between the IPsec peers, and 2 encrypted headers in the ESP payload. (I used host addresses of 1.1.1.1 and 3.3.3.3 in the ping testing.)
What would the source and destination address be of each IP header?
1. source 33.33.33.3 destination 11.11.11.1
2. source 23.0.0.3 destination 10.0.0.1
3. source 3.3.3.3 destination 1.1.1.1
What order the IP headers would be in (beginning with the outside header)?
Using the numbering above:
1=Outside (just before ESP)
2=IP header, used for transporting the GRE, which is now being encrypted by ESP
3=Original IP header, buried deep in the encrypted packed.
Without encryption, the packet would look like this:
With encryption, it would look like this:
Would the IPSec be using transport or tunnel mode?
Tunnel. Because the crypto ACL included IP addresses outside of the endpoints of the tunnel, the peers will negotiate and use tunnel mode, (even though we administratively configured transport mode on the transform-sets).
This would be called GRE over IPSec, as in “GRE traffic, being carried over the network by IPSec”.
Thanks to everyone who responded!
We put all who contributed (anything at all) into a hat and drew a name. The winner of the 100 rack tokens is: Kingsley Charles ! (Please email me directly, and I will get the tokens for you. My email address is kbarker@ine.com)
The full configs for R1 and R3 are below, as well as a couple show commands to assist in your final determination.
Best wishes.
R1#show run
hostname R1
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
mode transport
!
crypto map MYMAP local-address Loopback11
crypto map MYMAP 10 ipsec-isakmp
set peer 33.33.33.3
set transform-set MYSET
match address 100
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
ip rip advertise 60
!
interface Loopback11
ip address 11.11.11.1 255.255.255.0
ip rip advertise 60
!
interface Tunnel0
ip address 13.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 23.0.0.3
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip rip advertise 60
duplex auto
speed auto
crypto map MYMAP
!
router rip
timers basic 60 90 90 90
network 10.0.0.0
network 11.0.0.0
!
ip route 3.0.0.0 255.0.0.0 Tunnel0
!
access-list 100 permit gre any any
end
R1#show ip route | begin resort
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
R 2.0.0.0/8 [120/1] via 10.0.0.2, 00:00:27, FastEthernet0/0
R 33.0.0.0/8 [120/2] via 10.0.0.2, 00:00:27, FastEthernet0/0
S 3.0.0.0/8 is directly connected, Tunnel0
R 23.0.0.0/8 [120/1] via 10.0.0.2, 00:00:27, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, FastEthernet0/0
11.0.0.0/24 is subnetted, 1 subnets
C 11.11.11.0 is directly connected, Loopback11
13.0.0.0/24 is subnetted, 1 subnets
C 13.0.0.0 is directly connected, Tunnel0
R1#
R1#show crypto map
Crypto Map: "MYMAP" idb: Loopback11 local address: 11.11.11.1
Crypto Map "MYMAP" 10 ipsec-isakmp
Peer = 33.33.33.3
Extended IP access list 100
access-list 100 permit gre any any
Current peer: 33.33.33.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
MYSET,
}
Interfaces using crypto map MYMAP:
FastEthernet0/0
R1#
******************************************************
******************************************************
R3#show run
hostname R3
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
mode transport
!
crypto map MYMAP local-address Loopback33
crypto map MYMAP 10 ipsec-isakmp
set peer 11.11.11.1
set transform-set MYSET
match address 100
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
ip rip advertise 60
!
interface Loopback33
ip address 33.33.33.3 255.255.255.0
ip rip advertise 60
!
interface Tunnel0
ip address 13.0.0.3 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 10.0.0.1
!
interface FastEthernet0/1
ip address 23.0.0.3 255.255.255.0
ip rip advertise 60
duplex auto
speed auto
crypto map MYMAP
!
router rip
timers basic 60 90 90 90
network 23.0.0.0
network 33.0.0.0
!
ip route 1.0.0.0 255.0.0.0 Tunnel0
!
access-list 100 permit gre any any
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
privilege level 15
no login
!
!
end
R3#
R3#show ip route | begin resort
Gateway of last resort is not set
S 1.0.0.0/8 is directly connected, Tunnel0
R 2.0.0.0/8 [120/1] via 23.0.0.2, 00:00:48, FastEthernet0/1
33.0.0.0/24 is subnetted, 1 subnets
C 33.33.33.0 is directly connected, Loopback33
3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback0
23.0.0.0/24 is subnetted, 1 subnets
C 23.0.0.0 is directly connected, FastEthernet0/1
R 10.0.0.0/8 [120/1] via 23.0.0.2, 00:00:48, FastEthernet0/1
R 11.0.0.0/8 [120/2] via 23.0.0.2, 00:00:48, FastEthernet0/1
13.0.0.0/24 is subnetted, 1 subnets
C 13.0.0.0 is directly connected, Tunnel0
R3#show crypto map
Crypto Map: "MYMAP" idb: Loopback33 local address: 33.33.33.3
Crypto Map "MYMAP" 10 ipsec-isakmp
Peer = 11.11.11.1
Extended IP access list 100
access-list 100 permit gre any any
Current peer: 11.11.11.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
MYSET,
}
Interfaces using crypto map MYMAP:
FastEthernet0/1
R3#ping 1.1.1.1 so lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/152/180 ms
R3# 
About INE Instructor:
You can leave a response, or trackback from your own site.
35 Responses to “CCIE Security – Tunnels within Tunnels challenge.”
Leave a Reply
1. 2 IP Headers – GRE/IP header and IP header
2. GRE/IP: Source = Tunnel Source, Destination = Tunnel Destination
IP Header: Source=IP address of host on 3.3.3.0, destination is Ip address of destination on 1.1.1.0 network
3. GRE/IP Header –> ESP Header –> GRE header –> IP Header
4. Transport mode – That’s what the config says
5. GRE over IPSec
Hello,
There will be 2 IP headers, the initial one with SA 1.1.1.1 and DA 3.3.3.3 and the one added due to the GRE encapsulation with SA 11.11.11.1 and DA 33.33.33.3.
IPSEC is configured in transport mode, and therefore only the GRE payload will get encrypted, leaving the second (GRE) ip header intact.
The packet will look like that
| IP HDR2 | |ESP| |GRE| |IP HDR1| |DATA| |ESP trailer|
It s being called GRE over IPSEC.
Rgds Cyril
Hello,
Here’s what i think
The echo-request packet going from 3.3.3.3 to 1.1.1.1 is going to look like this
MAC , IP(2) , ESP , GRE , IP(1) , ICMP , Payload
To answer your questions :
1. How many IP headers would be in each packet.
Answer : 2
2. What would the source and destination address be of each IP header.
Answer : IP(1) -> Source : 3.3.3.3 , dest : 1.1.1.1
IP(2) -> Source : 13.0.0.3 dest : 130.0.0.1
3. What order the IP headers would be in (beginning with the outside header).
Answer : Please refer illustration (at the beginning)
4. Would the IPSec be using transport or tunnel mode.
Answer : Transport mode
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
Answer : IPsec over GRE , nightmare , interview question that will not get you the job.
I hope i nailed atleast 1/5
Cheers,
TacACK
Sorry there was a type in the 2nd question’s answer :
IP(2) -> Source : 13.0.0.3 dest : 13.0.0.1
1. 3
2. in the cloud, source will be 23.0.0.3, dest=10.0.0.1
3. IPSec,GRE,IP
4. transport
5. GRE over IPSec
Let’s give this a try.
1. 3 total IP headers:
1 unecrypted IP header
2 encrypted IP headers
2. ESP 11.11.11.11 to/from 33.33.33.33
GRE 13.0.0.1 to/from 23.0.0.3 -=ENCRTYPTED=-
IP 1.1.1.1 to/from 3.3.3.3 -=ENCRTYPTED=-
3. ESP IP, GRE source IP, Original IP
4. Transport
5. GRE over IPSec
Ping from R1 to R3
ping 3.3.3.3 so 1.1.1.1
IP 11.11.11.11 -=PEER IP=-
ESP
IP 13.0.0.1 -=ENCRTYPTED=-
GRE -=ENCRTYPTED=-
IP 1.1.1.1 -=ENCRTYPTED=-
ICMP -=ENCRTYPTED=-
hi there … I guess there is a little problem with the run. I think this command should be added to :
R1#conf t
R1(config)#crypto map MYMAP local-address lo 11
R1#conf t
R1(config)#crypto map MYMAP local-address lo 33
Regards !!!
1. There is only two IP headers. the original IP header and the GRE IP header.
2. The packet is sent out from the interface 0/0 with ip pair addresses of 11.11.11.1 & 33.33.33.3 . the inner header is the GRE header which has the IP addresses of 1.1.1.1 and 3.3.3.3
3. [is the L2 -[ GRE IP header ,[ESP Header [Orginal IP payload ,Data ]]].
4. in action IPsec header only includes includes the GRE IP payload, this is transport mode.IPSec does not include the GRE IP header. But in reality the IPSec have encrypted the Original IP Payload and the Data. So this can be interpreted as tunnel mode.
5 think GRE over IPSec.Because it original GRE header is used to transport the ESP .
sorry
5. i think IPSec over GRE.Because it original GRE header is used to transport the ESP .
I m not a security master blaster but will try to answer few
1. How many IP headers would be in each packet.
There will be two IP headers in each packet as it is in tunnel mode
2. What would the source and destination address be of each IP header.
Tunnel endpoints in outerheader and original endpoints in original IP header
3. What order the IP headers would be in (beginning with the outside header).
new IP header(outer) >> IPSec >> IP header .
4. Would the IPSec be using transport or tunnel mode.
Its using Tunnel mode, which is default on Tunnel interface.
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
a wild guess >> IPsec over GRE.
Regards
Ronnie
Looks to be transport mode, and i would call IPSec over GRE.. still need to look into the headers
R3#ping 1.1.1.1 so lo 0
1. How many IP headers would be in each packet.
Answer: Two
2. What would the source and destination address be of each IP header.
The ICMP one: Source: 3.3.3.3 || Destination: 1.1.1.1
The GRE one (as it’s transport mode, this will be the final IP header)
Source: 23.0.0.3 || Destination: 10.0.0.1
3. What order the IP headers would be in (beginning with the outside header).
Outside In:
– Layer2 Stuff
– IP: S: 23.0.0.3 || D: 10.0.0.1
– ESP Header
– GRE Header
– IP: S: 3.3.3.3 || D: 1.1.1.1
– ICMP Header and ping payload
4. Would the IPSec be using transport or tunnel mode.
Answer: Transport
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
Answer: GRE over IPSec
as GRE is being encapsulated in IPSEC
1. How many IP headers would be in each packet. 2 headers
2. What would the source and destination address be of each IP header. outside ip header will be of tunnel source and destination and inside header will the original ip header before the gre encapsulation
3. What order the IP headers would be in (beginning with the outside header). GRE than original ip header
4. Would the IPSec be using transport or tunnel mode. tunnel mode
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”). ipsec over gre tunnel
thanks
Hi, bellow are my answers:
1. How many IP headers would be in each packet.
- 2
2. What would the source and destination address be of each IP header.
- first outer header src 23.0.0.3 -> dst 10.0.0.1, second eg. src 3.3.3.3 -> dst 1.1.1.1
3. What order the IP headers would be in (beginning with the outside header).
- IP, ESP, GRE, IP, PAYLOAD, ESP trailer
4. Would the IPSec be using transport or tunnel mode.
- transport mode
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
- GRE over Ipsec
I hope correct
Hi,
Kindly find below the responses
1. How many IP headers would be in each packet.
2 IP headers in the packet
2. What would the source and destination address be of each IP header.
GRE IP header:source:23.0.0.1,dest:23.0.0.3
3. What order the IP headers would be in (beginning with the outside header).
GRE IP header and IP header of the packet
4. Would the IPSec be using transport or tunnel mode.
Transport
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
GRE over IPSEC
Thanks
Regards
Anantha Subramanian Natarajan
Hi,
Missed to answer one part of question 3,Ip header source is 3.3.3.3 and dest:1.1.1.1
Thanks
Regards
Anantha Subramanian Natarajan
1- Three, one for esp-ip, one for gre-ip, one for ip
2- ESP IP Header: 11.11.11.1/ 33.33.33.3
GRE IP Header: 10.0.0.1/23.0.0.3
IP Header: 1.1.1.1 / 3.3.3.3
.
3- ESP IP Header/ESP Header/GRE IP Header/GRE/IP header/TCP header/DATA/ESP Trailer
4- Configured for transport, but the result would be tunnel mode!
5- IPSEC over GRE transport mode:) (equivalent to GREoIPSec Tunnel mode)
1) 2 headers – one for original and one for gre tunnel, 30 – 37 bytes will be used for ipsec transport header. It require the paiload size to be multiplier of 8 bytes so from 0 to 7 bytes may be needed for padding, 24 bytes will be used for gre header
2) external gre ip header: 10.0.0.1 – 23.0.0.3, original (internal) ip header: 1.1.1.1 – 3.3.3.3
3) gre ip header – original ip header
4) ipsec tunnel mode will be transport according to transform-set
5) this would be called gre over ipsec.
Iman – The local-address commands are in there, just above the creation of the crypto maps.
Lots of great input! If you want to revise your answer, no problem. The drawing will be on Monday evening!
Thanks.
1. There should be three IP headers in each packet:
– (1) encasulating the ESP
– (2) inside the ESP which is GRE/delivery IP header
– (3) insde the GRE payload encapsulating the ICMP echos
2. Headers:
– (1) IPv4 SA & DA will be 11.11.11.1 and 33.33.33.3, protocol field should be set to ESP
– (2) IPv4 SA & DA will be 10.0.0.1 and 23.0.0.3, protocol field should be set to GRE
– (3) IPv4 SA & DA will be 1.1.1.1 and 3.3.3.3, protocol field should be set to ICMP
3. Header order:
– IP header (1) with SA/DA 11.11.11.1 and 33.33.33.3, protocol = ESP
– ESP header
– IP header (2) with SA/DA 10.0.0.1 and 23.0.0.3, protocol = GRE
– GRE header
– IP header (3) with SA/DA 1.1.1.1 and 3.3.3.3, protocol = ICMP
– ICMP header
– ICMP payload
– ESP trailer
4. Despite configured for IPSec transport mode IPSec will always work in tunnel mode with the current configuration – see the enclosed output from my test below. In my opinion reason for that is because IPSec crypto map is applied on the physical interface, and GRE Tunnel interface source and destination are set to the physical interfaces IPs whereas crypto identities are Loopback interfaces 11 and 33 /for R1 and R3 correspondingly set via command ¨crypto map local-address¨ /. I guess if we change the GRE Tunnel source and destination to match crypto identities /set them to Loopbacks 11 and 33/ then IPsec should start working in transport mode – something to do as next step.
R1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/36/48 ms
R1#
R1#sh cry ips trans
Transform set MYSET: { esp-null esp-md5-hmac }
will negotiate = { Transport, },
R1#sh cry ips sa | i in use
in use settings ={Tunnel, }
in use settings ={Tunnel, }
R1#
5. This is supposed to work as GRE over IPSec, and on this I based my asnwers to questions 1 to 3 but with the current config having the crypto identities not matching the GRE tunnel endpoints is quite confusing I admit.
Here’s my answer:
1) 2 IP headers exist. 1 is GRE IP and 1 is the IP header. IPSEC does not need an IP header because it is encapsulated inside of the GRE “Tunnel”.
2) Router #1: GRE IP Header Source: 10.0.0.1, Dest: 23.0.0.3
IP header: Source: 11.11.11.1, Dest: 33.33.33.3
vice versa for Router #2.
3) GRE IP Header, ESP Header, GRE, IP Header, TCP Header DATA, ESP Trailer
4) Transport
5) This is tough, but either way you have to call it GRE over IPsec because in both cases there is GRE data being encrypted by IPsec.
Correction, IP headers are the loopbacks 1.1.1.1, Destination 3.3.3.3 and vice versa.
I agree with sivchev as exactly he stated below:
1. There should be three IP headers in each packet:
– (1) encasulating the ESP
– (2) inside the ESP which is GRE/delivery IP header
– (3) insde the GRE payload encapsulating the ICMP echos
2. Headers:
– (1) IPv4 SA & DA will be 11.11.11.1 and 33.33.33.3, protocol field should be set to ESP
– (2) IPv4 SA & DA will be 10.0.0.1 and 23.0.0.3, protocol field should be set to GRE
– (3) IPv4 SA & DA will be 1.1.1.1 and 3.3.3.3, protocol field should be set to ICMP
3. Header order:
– IP header (1) with SA/DA 11.11.11.1 and 33.33.33.3, protocol = ESP
– ESP header
– IP header (2) with SA/DA 10.0.0.1 and 23.0.0.3, protocol = GRE
– GRE header
– IP header (3) with SA/DA 1.1.1.1 and 3.3.3.3, protocol = ICMP
– ICMP header
– ICMP payload
– ESP trailer
4. Despite configured for IPSec transport mode IPSec will always work in tunnel mode with the current configuration – see the enclosed output from my test below. In my opinion reason for that is because IPSec crypto map is applied on the physical interface, and GRE Tunnel interface source and destination are set to the physical interfaces IPs whereas crypto identities are Loopback interfaces 11 and 33 /for R1 and R3 correspondingly set via command ¨crypto map local-address¨ /. I guess if we change the GRE Tunnel source and destination to match crypto identities /set them to Loopbacks 11 and 33/ then IPsec should start working in transport mode – something to do as next step.
R1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/36/48 ms
R1#
R1#sh cry ips trans
Transform set MYSET: { esp-null esp-md5-hmac }
will negotiate = { Transport, },
R1#sh cry ips sa | i in use
in use settings ={Tunnel, }
in use settings ={Tunnel, }
R1#
5. This is supposed to work as GRE over IPSec, and on this I based my asnwers to questions 1 to 3 but with the current config having the crypto identities not matching the GRE tunnel endpoints is quite confusing I admit.
Let’s consider we ping from r1
R1#ping 3.3.3.3 source 1.1.1.1
1. How many IP headers would be in each packet.
The format of the packet will be
IPhdrESP – IPHdrGRE – IPhdrpayload
Total 3 IP headers
2. What would the source and destination address be of each IP header.
Taking the headers from the left i.e., outermost
Outer most IP header – ESP’s IP header
Src IP – 11.11.11.11
Dest IP – 33.33.33.33
Next IP header – GRE’s IP header
Src IP – 13.0.0.1
Dest IP – 23.0.0.3
Inner most IP header – ICMP’s header
Src IP – 1.1.1.1
Dest IP – 3.3.3.3
3. What order the IP headers would be in (beginning with the outside header).
From left
Outside IP header – ESP’s IP header
Middle IP header – GRE’s IP header
Inner IP header – Payload’s IP header
4. Would the IPSec be using transport or tunnel mode.
Transport mode uses the original IP header and inserts ESP header in between the IP header and Payload.
Tunnel mode uses a new IP header and inserts ESP in between the new IP header and original IP header.
With this configuration that is GREoIPSec both when using transport or tunnel mode, the packet format and the number of IP header is same.
Here we have three IP headers. The outermost/leftmost IP header is that of the crypto interface and original IP header of the payload in inner most.
Hence I would say this is tunnel mode.
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
This is known as GREoIPSec. GRE is transported over IPSec, hence we call it GRE over IPSEC – GREoIPSec
Missed some words in my answer of 4th question..
Here we have three IP headers. The outermost/leftmost IP header will have the IP addresses of 11.11.11.11 and 33.33.33.33.
from the crytpo interfaces
The inner most IP header is the original IP header will have IP addresses of 1.1.1.1 and 3.3.3.3
By definition, it is transport mode.
Overlooked, correcting 2nd answer
2. What would the source and destination address be of each IP header.
Taking the headers from the left i.e., outermost
Outer most IP header – ESP’s IP header
Src IP – 11.11.11.1
Dest IP – 33.33.33.3
Next IP header – GRE’s IP header
Src IP – 10.0.0.1
Dest IP – 23.0.0.3
Inner most IP header – ICMP’s header
Src IP – 1.1.1.1
Dest IP – 3.3.3.3
Ok I this is my last and final post. There are typos in my last three posts. I have mentioned transport mode by mistake instead of the tunnel mode. Also I have put the correct addresses of l11 and l33 in the post.
Corrections in this post are that I have put correct addresses and the “tunnel mode” as the answer.
Consider this as my final answer
Let’s consider we ping from r1
R1#ping 3.3.3.3 source 1.1.1.1
1. How many IP headers would be in each packet.
The format of the packet will be
IPhdrESP – IPHdrGRE – IPhdrpayload
Total 3 IP headers
2. What would the source and destination address be of each IP header.
Taking the headers from the left i.e., outermost
Outer most IP header – ESP’s IP header
Src IP – 11.11.11.1
Dest IP – 33.33.33.3
Next IP header – GRE’s IP header
Src IP – 10.0.0.1
Dest IP – 23.0.0.3
Inner most IP header – ICMP’s header
Src IP – 1.1.1.1
Dest IP – 3.3.3.3
3. What order the IP headers would be in (beginning with the outside header).
From left
Outside IP header – ESP’s IP header
Middle IP header – GRE’s IP header
Inner IP header – Payload’s IP header
4. Would the IPSec be using transport or tunnel mode.
Transport mode uses the original IP header and inserts ESP header in between the IP header and Payload.
Tunnel mode uses a new IP header and inserts ESP in between the new IP header and original IP header.
With this configuration that is GREoIPSec both when using transport or tunnel mode, the packet format and the number of IP header is same.
Here we have three IP headers. The outermost/leftmost IP header will have the IP addresses of 11.11.11.1 and 33.33.33.3.
from the crytpo interface.
The inner most IP header is the original IP header will have IP addresses of 1.1.1.1 and 3.3.3.3
Since the packet uses a new IP header and that of the router doing IPSec by definition, it is tunnel mode.
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
This is known as GREoIPSec. GRE is transported over IPSec, hence we call it GRE over IPSEC – GREoIPSec
My Answers:
1. Two IP headers – Outside IP header and Actual IP header
2. Outside GRE/IP header – source: GRE tunnel source, dest: GRE tunnel dest
Actual IP header – source: host from 3.3.3.0/24 network, dest: host from 1.1.1.0/24 network
3. GRE/IP header | ESP | GRE header | Actual IP header | Data | ESP Trailer
4. Transport mode
5. IPSec over GRE bcoz of the transport mode
Rgds,
Shoeb
1. How many IP headers would be in each packet.
3 IP headers
2. What would the source and destination address be of each IP header.
- outside IP HDR SA 11.11.11.1 DA 33.33.33.3 Prot ESP (50)
- inside ESP-encaps IP HDR SA 10.0.0.1 DA 23.0.0.3 Prot GRE (47)
- inside GRE-encaps IP HDR SA 1.1.1.1 DA 3.3.3.3 Prot ICMP (1)
(assuming a ping from 1.1.1.1 to 3.3.3.3)
3. What order the IP headers would be in (beginning with the outside header).
As per above
IP HDR1 — ESP — IP HDR2 — GRE — IP HDR3 — ICMP — ESP trailer
4. Would the IPSec be using transport or tunnel mode.
Despite the config says transport, ipsec is actually using tunnel mode since the ipsec peers’ip differ from the GRE endpoints
5. Would this be called IPSec over GRE, GRE over IPSec, or something else
As GRE is encapsulated into ESP, that s likely to be called GRE over IPSEC
1. 2 IP Headers
2. IP2 (inner) 3.3.3.3 1.1.1.1
IP1 (outer) 10.0.0.3 10.0.0.1
3. IP1 – IP2
4. Transport
5. GRE over IPSEC
1) 2 IP headers exist. 1 is GRE IP and 1 is the IP header.
2) GRE IP Header Source: 13.0.0.1, Dest: 13.0.0.3
IP header: Source: 11.11.11.1, Dest: 33.33.33
3)
4) Transport
5) GRE over IPsec
Hello, here are some answers:
1- 2 IP Headers
4- Transport
5- IPSec Over GRE
i’ll try to reply on 2 & 3 later on tonight
Hello – Thanks for all the awesome input!
The answers were added to the post, and a winner was selected. Take a look at the answers as well as who won the 100 tokens for graded labs!
Thanks again.
Th INE…..
Love this blog
With regards
Kings