May
17

The two engineers, as they grabbed a quick lunch, looked over the following diagram.

3 routers in a row-tunnel-2

The 13.0.0.0/24 network is GRE.   The routing in place, uses the tunnel interfaces to reach the remote networks of 1.1.1.0 and 3.3.3.0.   The IPSec policy is to encrypt all GRE traffic between R1 and R3.  R1 and R3 are peering with each other using loopback 11 and loopback 33 respectively.

The technicians considered the traffic pattern if a host on the 3.3.3.0/24 network sent a packet to a device on the 1.1.1.0/24 network.

Then they reviewed the configurations (below), and discussed them. Based on what they saw, they just couldn’t agree completely with each other regarding the following questions?

1. How many IP headers would be in each packet.
2. What would the source and destination address be of each IP header.
3. What order the IP headers would be in (beginning with the outside header).
4. Would the IPSec be using transport or tunnel mode.
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).

So they called for the expert, YOU, to assist in these questions.

Are you up to the challenge.   Answering even 1 of them will be appreciated, so take moment now, and GO FOR IT !

Post your ideas, and we will put all the people who post ideas into a virtual hat, and draw a winner to receive 100 rack tokens to our preferred lab gear provider, graded labs. Please have your posts in by

the end of the day Monday, May24, 2010 to be in the drawing.

UPDATE:

It is May 24 – 2010.  Here are the answers:

How many IP headers would be in each packet?

3 headers total. 1 outside header between the IPsec peers, and 2 encrypted headers in the ESP payload.  (I used host addresses of 1.1.1.1 and 3.3.3.3 in the ping testing.)

What would the source and destination address be of each IP header?

1. source 33.33.33.3 destination 11.11.11.1
2. source 23.0.0.3 destination 10.0.0.1
3. source 3.3.3.3 destination 1.1.1.1

What order the IP headers would be in (beginning with the outside header)?

Using the numbering above:
1=Outside (just before ESP)
2=IP header, used for transporting the GRE, which is now being encrypted by ESP
3=Original IP header, buried deep in the encrypted packed.

Without encryption, the packet would look like this:

Before Encryption

With encryption, it would look like this:

After Encryption

Would the IPSec be using transport or tunnel mode?

Tunnel.  Because the crypto ACL included IP addresses outside of the endpoints of the tunnel, the peers will negotiate and use tunnel mode, (even though we administratively configured transport mode on the transform-sets).

This would be called GRE over IPSec, as in “GRE traffic, being carried over the network by IPSec”.

Thanks to everyone who responded!

We put all who contributed (anything at all) into a hat and drew a name.    The winner of the 100 rack tokens is: Kingsley Charles ! (Please email me directly, and I will get the tokens for you.  My email address is kbarker@ine.com)

The full configs for R1 and R3 are below, as well as a couple show commands to assist in your final determination.

Best wishes.

 

 

R1#show run
hostname R1
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
 mode transport
!
crypto map MYMAP local-address Loopback11
crypto map MYMAP 10 ipsec-isakmp
 set peer 33.33.33.3
 set transform-set MYSET
 match address 100
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip rip advertise 60
!
interface Loopback11
 ip address 11.11.11.1 255.255.255.0
 ip rip advertise 60
!
interface Tunnel0
 ip address 13.0.0.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 23.0.0.3
!
interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 ip rip advertise 60
 duplex auto
 speed auto
 crypto map MYMAP
!
router rip
 timers basic 60 90 90 90
 network 10.0.0.0
 network 11.0.0.0
!
ip route 3.0.0.0 255.0.0.0 Tunnel0
!
access-list 100 permit gre any any
end

R1#show ip route | begin resort
Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
R    2.0.0.0/8 [120/1] via 10.0.0.2, 00:00:27, FastEthernet0/0
R    33.0.0.0/8 [120/2] via 10.0.0.2, 00:00:27, FastEthernet0/0
S    3.0.0.0/8 is directly connected, Tunnel0
R    23.0.0.0/8 [120/1] via 10.0.0.2, 00:00:27, FastEthernet0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, FastEthernet0/0
     11.0.0.0/24 is subnetted, 1 subnets
C       11.11.11.0 is directly connected, Loopback11
     13.0.0.0/24 is subnetted, 1 subnets
C       13.0.0.0 is directly connected, Tunnel0
R1#

R1#show crypto map
Crypto Map: "MYMAP" idb: Loopback11 local address: 11.11.11.1

Crypto Map "MYMAP" 10 ipsec-isakmp
        Peer = 33.33.33.3
        Extended IP access list 100
            access-list 100 permit gre any any
        Current peer: 33.33.33.3
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                MYSET,
        }
        Interfaces using crypto map MYMAP:
                FastEthernet0/0

R1#

******************************************************
******************************************************

R3#show run
hostname R3
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
 mode transport
!
crypto map MYMAP local-address Loopback33
crypto map MYMAP 10 ipsec-isakmp
 set peer 11.11.11.1
 set transform-set MYSET
 match address 100
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
 ip rip advertise 60
!
interface Loopback33
 ip address 33.33.33.3 255.255.255.0
 ip rip advertise 60
!
interface Tunnel0
 ip address 13.0.0.3 255.255.255.0
 tunnel source FastEthernet0/1
 tunnel destination 10.0.0.1
!
interface FastEthernet0/1
 ip address 23.0.0.3 255.255.255.0
 ip rip advertise 60
 duplex auto
 speed auto
 crypto map MYMAP
!
router rip
 timers basic 60 90 90 90
 network 23.0.0.0
 network 33.0.0.0
!
ip route 1.0.0.0 255.0.0.0 Tunnel0
!
access-list 100 permit gre any any
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 no login
!
!
end

R3#

R3#show ip route | begin resort
Gateway of last resort is not set

S    1.0.0.0/8 is directly connected, Tunnel0
R    2.0.0.0/8 [120/1] via 23.0.0.2, 00:00:48, FastEthernet0/1
     33.0.0.0/24 is subnetted, 1 subnets
C       33.33.33.0 is directly connected, Loopback33
     3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Loopback0
     23.0.0.0/24 is subnetted, 1 subnets
C       23.0.0.0 is directly connected, FastEthernet0/1
R    10.0.0.0/8 [120/1] via 23.0.0.2, 00:00:48, FastEthernet0/1
R    11.0.0.0/8 [120/2] via 23.0.0.2, 00:00:48, FastEthernet0/1
     13.0.0.0/24 is subnetted, 1 subnets
C       13.0.0.0 is directly connected, Tunnel0

R3#show crypto map
Crypto Map: "MYMAP" idb: Loopback33 local address: 33.33.33.3

Crypto Map "MYMAP" 10 ipsec-isakmp
        Peer = 11.11.11.1
        Extended IP access list 100
            access-list 100 permit gre any any
        Current peer: 11.11.11.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                MYSET,
        }
        Interfaces using crypto map MYMAP:
                FastEthernet0/1

R3#ping 1.1.1.1 so lo 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/152/180 ms
R3#

You can leave a response, or trackback from your own site.

35 Responses to “CCIE Security – Tunnels within Tunnels challenge.”

 
  1. 1. 2 IP Headers – GRE/IP header and IP header
    2. GRE/IP: Source = Tunnel Source, Destination = Tunnel Destination
    IP Header: Source=IP address of host on 3.3.3.0, destination is Ip address of destination on 1.1.1.0 network

    3. GRE/IP Header –> ESP Header –> GRE header –> IP Header
    4. Transport mode – That’s what the config says :)
    5. GRE over IPSec

  2. Cyril says:

    Hello,

    There will be 2 IP headers, the initial one with SA 1.1.1.1 and DA 3.3.3.3 and the one added due to the GRE encapsulation with SA 11.11.11.1 and DA 33.33.33.3.
    IPSEC is configured in transport mode, and therefore only the GRE payload will get encrypted, leaving the second (GRE) ip header intact.

    The packet will look like that
    | IP HDR2 | |ESP| |GRE| |IP HDR1| |DATA| |ESP trailer|

    It s being called GRE over IPSEC.

    Rgds Cyril

  3. TacACK says:

    Hello,

    Here’s what i think

    The echo-request packet going from 3.3.3.3 to 1.1.1.1 is going to look like this

    MAC , IP(2) , ESP , GRE , IP(1) , ICMP , Payload

    To answer your questions :

    1. How many IP headers would be in each packet.
    Answer : 2

    2. What would the source and destination address be of each IP header.
    Answer : IP(1) -> Source : 3.3.3.3 , dest : 1.1.1.1
    IP(2) -> Source : 13.0.0.3 dest : 130.0.0.1

    3. What order the IP headers would be in (beginning with the outside header).
    Answer : Please refer illustration (at the beginning)

    4. Would the IPSec be using transport or tunnel mode.
    Answer : Transport mode

    5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
    Answer : IPsec over GRE , nightmare , interview question that will not get you the job.

    I hope i nailed atleast 1/5 :)

    Cheers,
    TacACK

  4. TacACK says:

    Sorry there was a type in the 2nd question’s answer :

    IP(2) -> Source : 13.0.0.3 dest : 13.0.0.1

  5. shrek says:

    1. 3
    2. in the cloud, source will be 23.0.0.3, dest=10.0.0.1
    3. IPSec,GRE,IP
    4. transport
    5. GRE over IPSec

  6. OrlandoSanchez says:

    Let’s give this a try.

    1. 3 total IP headers:
    1 unecrypted IP header
    2 encrypted IP headers
    2. ESP 11.11.11.11 to/from 33.33.33.33
    GRE 13.0.0.1 to/from 23.0.0.3 -=ENCRTYPTED=-
    IP 1.1.1.1 to/from 3.3.3.3 -=ENCRTYPTED=-
    3. ESP IP, GRE source IP, Original IP
    4. Transport
    5. GRE over IPSec

    Ping from R1 to R3
    ping 3.3.3.3 so 1.1.1.1

    IP 11.11.11.11 -=PEER IP=-
    ESP
    IP 13.0.0.1 -=ENCRTYPTED=-
    GRE -=ENCRTYPTED=-
    IP 1.1.1.1 -=ENCRTYPTED=-
    ICMP -=ENCRTYPTED=-

  7. Iman says:

    hi there … I guess there is a little problem with the run. I think this command should be added to :

    R1#conf t
    R1(config)#crypto map MYMAP local-address lo 11

    R1#conf t
    R1(config)#crypto map MYMAP local-address lo 33

    Regards !!!

  8. Iman Mansouri says:

    1. There is only two IP headers. the original IP header and the GRE IP header.
    2. The packet is sent out from the interface 0/0 with ip pair addresses of 11.11.11.1 & 33.33.33.3 . the inner header is the GRE header which has the IP addresses of 1.1.1.1 and 3.3.3.3
    3. [is the L2 -[ GRE IP header ,[ESP Header [Orginal IP payload ,Data ]]].
    4. in action IPsec header only includes includes the GRE IP payload, this is transport mode.IPSec does not include the GRE IP header. But in reality the IPSec have encrypted the Original IP Payload and the Data. So this can be interpreted as tunnel mode.
    5 think GRE over IPSec.Because it original GRE header is used to transport the ESP .

  9. Iman Mansouri says:

    sorry
    5. i think IPSec over GRE.Because it original GRE header is used to transport the ESP .

  10. Ronnie_hitman says:

    I m not a security master blaster but will try to answer few

    1. How many IP headers would be in each packet.
    There will be two IP headers in each packet as it is in tunnel mode

    2. What would the source and destination address be of each IP header.
    Tunnel endpoints in outerheader and original endpoints in original IP header

    3. What order the IP headers would be in (beginning with the outside header).
    new IP header(outer) >> IPSec >> IP header .

    4. Would the IPSec be using transport or tunnel mode.
    Its using Tunnel mode, which is default on Tunnel interface.

    5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
    a wild guess >> IPsec over GRE.

    Regards

    Ronnie

  11. Jason Beltrame says:

    Looks to be transport mode, and i would call IPSec over GRE.. still need to look into the headers :-)

  12. Gautam Renjen says:

    R3#ping 1.1.1.1 so lo 0

    1. How many IP headers would be in each packet.

    Answer: Two

    2. What would the source and destination address be of each IP header.

    The ICMP one: Source: 3.3.3.3 || Destination: 1.1.1.1

    The GRE one (as it’s transport mode, this will be the final IP header)
    Source: 23.0.0.3 || Destination: 10.0.0.1

    3. What order the IP headers would be in (beginning with the outside header).

    Outside In:

    – Layer2 Stuff
    – IP: S: 23.0.0.3 || D: 10.0.0.1
    – ESP Header
    – GRE Header
    – IP: S: 3.3.3.3 || D: 1.1.1.1
    – ICMP Header and ping payload

    4. Would the IPSec be using transport or tunnel mode.

    Answer: Transport

    5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).

    Answer: GRE over IPSec
    as GRE is being encapsulated in IPSEC

  13. ciscogeek says:

    1. How many IP headers would be in each packet. 2 headers
    2. What would the source and destination address be of each IP header. outside ip header will be of tunnel source and destination and inside header will the original ip header before the gre encapsulation
    3. What order the IP headers would be in (beginning with the outside header). GRE than original ip header
    4. Would the IPSec be using transport or tunnel mode. tunnel mode
    5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”). ipsec over gre tunnel

    thanks

  14. Michal Gontarczyk says:

    Hi, bellow are my answers:

    1. How many IP headers would be in each packet.
    - 2
    2. What would the source and destination address be of each IP header.
    - first outer header src 23.0.0.3 -> dst 10.0.0.1, second eg. src 3.3.3.3 -> dst 1.1.1.1
    3. What order the IP headers would be in (beginning with the outside header).
    - IP, ESP, GRE, IP, PAYLOAD, ESP trailer
    4. Would the IPSec be using transport or tunnel mode.
    - transport mode
    5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).
    - GRE over Ipsec

    I hope correct :)

  15. Anantha Subramanian Natarajan says:

    Hi,

    Kindly find below the responses

    1. How many IP headers would be in each packet.

    2 IP headers in the packet

    2. What would the source and destination address be of each IP header.
    GRE IP header:source:23.0.0.1,dest:23.0.0.3

    3. What order the IP headers would be in (beginning with the outside header).

    GRE IP header and IP header of the packet

    4. Would the IPSec be using transport or tunnel mode.

    Transport

    5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).

    GRE over IPSEC

    Thanks

    Regards
    Anantha Subramanian Natarajan

  16. Anantha Subramanian Natarajan says:

    Hi,

    Missed to answer one part of question 3,Ip header source is 3.3.3.3 and dest:1.1.1.1

    Thanks

    Regards
    Anantha Subramanian Natarajan

  17. Mike Boos says:

    1- Three, one for esp-ip, one for gre-ip, one for ip

    2- ESP IP Header: 11.11.11.1/ 33.33.33.3
    GRE IP Header: 10.0.0.1/23.0.0.3
    IP Header: 1.1.1.1 / 3.3.3.3
    .
    3- ESP IP Header/ESP Header/GRE IP Header/GRE/IP header/TCP header/DATA/ESP Trailer

    4- Configured for transport, but the result would be tunnel mode!

    5- IPSEC over GRE transport mode:) (equivalent to GREoIPSec Tunnel mode)

  18. Eugene Khabarov says:

    1) 2 headers – one for original and one for gre tunnel, 30 – 37 bytes will be used for ipsec transport header. It require the paiload size to be multiplier of 8 bytes so from 0 to 7 bytes may be needed for padding, 24 bytes will be used for gre header
    2) external gre ip header: 10.0.0.1 – 23.0.0.3, original (internal) ip header: 1.1.1.1 – 3.3.3.3
    3) gre ip header – original ip header
    4) ipsec tunnel mode will be transport according to transform-set
    5) this would be called gre over ipsec.

  19. Iman – The local-address commands are in there, just above the creation of the crypto maps.

  20. Lots of great input! If you want to revise your answer, no problem. The drawing will be on Monday evening!

    Thanks.

  21. Sivchev says:

    1. There should be three IP headers in each packet:

    – (1) encasulating the ESP
    – (2) inside the ESP which is GRE/delivery IP header
    – (3) insde the GRE payload encapsulating the ICMP echos

    2. Headers:

    – (1) IPv4 SA & DA will be 11.11.11.1 and 33.33.33.3, protocol field should be set to ESP
    – (2) IPv4 SA & DA will be 10.0.0.1 and 23.0.0.3, protocol field should be set to GRE
    – (3) IPv4 SA & DA will be 1.1.1.1 and 3.3.3.3, protocol field should be set to ICMP

    3. Header order:

    – IP header (1) with SA/DA 11.11.11.1 and 33.33.33.3, protocol = ESP
    – ESP header
    – IP header (2) with SA/DA 10.0.0.1 and 23.0.0.3, protocol = GRE
    – GRE header
    – IP header (3) with SA/DA 1.1.1.1 and 3.3.3.3, protocol = ICMP
    – ICMP header
    – ICMP payload
    – ESP trailer

    4. Despite configured for IPSec transport mode IPSec will always work in tunnel mode with the current configuration – see the enclosed output from my test below. In my opinion reason for that is because IPSec crypto map is applied on the physical interface, and GRE Tunnel interface source and destination are set to the physical interfaces IPs whereas crypto identities are Loopback interfaces 11 and 33 /for R1 and R3 correspondingly set via command ¨crypto map local-address¨ /. I guess if we change the GRE Tunnel source and destination to match crypto identities /set them to Loopbacks 11 and 33/ then IPsec should start working in transport mode – something to do as next step.

    R1#ping 3.3.3.3 source 1.1.1.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
    Packet sent with a source address of 1.1.1.1
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 28/36/48 ms
    R1#
    R1#sh cry ips trans
    Transform set MYSET: { esp-null esp-md5-hmac }
    will negotiate = { Transport, },

    R1#sh cry ips sa | i in use
    in use settings ={Tunnel, }
    in use settings ={Tunnel, }
    R1#

    5. This is supposed to work as GRE over IPSec, and on this I based my asnwers to questions 1 to 3 but with the current config having the crypto identities not matching the GRE tunnel endpoints is quite confusing I admit.

  22. Dano says:

    Here’s my answer:

    1) 2 IP headers exist. 1 is GRE IP and 1 is the IP header. IPSEC does not need an IP header because it is encapsulated inside of the GRE “Tunnel”.

    2) Router #1: GRE IP Header Source: 10.0.0.1, Dest: 23.0.0.3
    IP header: Source: 11.11.11.1, Dest: 33.33.33.3
    vice versa for Router #2.

    3) GRE IP Header, ESP Header, GRE, IP Header, TCP Header DATA, ESP Trailer

    4) Transport

    5) This is tough, but either way you have to call it GRE over IPsec because in both cases there is GRE data being encrypted by IPsec.

  23. Dano says:

    Correction, IP headers are the loopbacks 1.1.1.1, Destination 3.3.3.3 and vice versa.

  24. dageekkid says:

    I agree with sivchev as exactly he stated below:

    1. There should be three IP headers in each packet:

    – (1) encasulating the ESP
    – (2) inside the ESP which is GRE/delivery IP header
    – (3) insde the GRE payload encapsulating the ICMP echos

    2. Headers:

    – (1) IPv4 SA & DA will be 11.11.11.1 and 33.33.33.3, protocol field should be set to ESP
    – (2) IPv4 SA & DA will be 10.0.0.1 and 23.0.0.3, protocol field should be set to GRE
    – (3) IPv4 SA & DA will be 1.1.1.1 and 3.3.3.3, protocol field should be set to ICMP

    3. Header order:

    – IP header (1) with SA/DA 11.11.11.1 and 33.33.33.3, protocol = ESP
    – ESP header
    – IP header (2) with SA/DA 10.0.0.1 and 23.0.0.3, protocol = GRE
    – GRE header
    – IP header (3) with SA/DA 1.1.1.1 and 3.3.3.3, protocol = ICMP
    – ICMP header
    – ICMP payload
    – ESP trailer

    4. Despite configured for IPSec transport mode IPSec will always work in tunnel mode with the current configuration – see the enclosed output from my test below. In my opinion reason for that is because IPSec crypto map is applied on the physical interface, and GRE Tunnel interface source and destination are set to the physical interfaces IPs whereas crypto identities are Loopback interfaces 11 and 33 /for R1 and R3 correspondingly set via command ¨crypto map local-address¨ /. I guess if we change the GRE Tunnel source and destination to match crypto identities /set them to Loopbacks 11 and 33/ then IPsec should start working in transport mode – something to do as next step.

    R1#ping 3.3.3.3 source 1.1.1.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
    Packet sent with a source address of 1.1.1.1
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 28/36/48 ms
    R1#
    R1#sh cry ips trans
    Transform set MYSET: { esp-null esp-md5-hmac }
    will negotiate = { Transport, },

    R1#sh cry ips sa | i in use
    in use settings ={Tunnel, }
    in use settings ={Tunnel, }
    R1#

    5. This is supposed to work as GRE over IPSec, and on this I based my asnwers to questions 1 to 3 but with the current config having the crypto identities not matching the GRE tunnel endpoints is quite confusing I admit.

  25. Kingsley Charles says:

    Let’s consider we ping from r1

    R1#ping 3.3.3.3 source 1.1.1.1

    1. How many IP headers would be in each packet.

    The format of the packet will be

    IPhdrESP – IPHdrGRE – IPhdrpayload

    Total 3 IP headers

    2. What would the source and destination address be of each IP header.

    Taking the headers from the left i.e., outermost

    Outer most IP header – ESP’s IP header

    Src IP – 11.11.11.11
    Dest IP – 33.33.33.33

    Next IP header – GRE’s IP header

    Src IP – 13.0.0.1
    Dest IP – 23.0.0.3

    Inner most IP header – ICMP’s header

    Src IP – 1.1.1.1
    Dest IP – 3.3.3.3

    3. What order the IP headers would be in (beginning with the outside header).

    From left

    Outside IP header – ESP’s IP header
    Middle IP header – GRE’s IP header
    Inner IP header – Payload’s IP header

    4. Would the IPSec be using transport or tunnel mode.

    Transport mode uses the original IP header and inserts ESP header in between the IP header and Payload.

    Tunnel mode uses a new IP header and inserts ESP in between the new IP header and original IP header.

    With this configuration that is GREoIPSec both when using transport or tunnel mode, the packet format and the number of IP header is same.

    Here we have three IP headers. The outermost/leftmost IP header is that of the crypto interface and original IP header of the payload in inner most.

    Hence I would say this is tunnel mode.

    5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).

    This is known as GREoIPSec. GRE is transported over IPSec, hence we call it GRE over IPSEC – GREoIPSec

  26. Kingsley Charles says:

    Missed some words in my answer of 4th question..

    Here we have three IP headers. The outermost/leftmost IP header will have the IP addresses of 11.11.11.11 and 33.33.33.33.
    from the crytpo interfaces

    The inner most IP header is the original IP header will have IP addresses of 1.1.1.1 and 3.3.3.3

    By definition, it is transport mode.

  27. Kingsley Charles says:

    Overlooked, correcting 2nd answer :-)

    2. What would the source and destination address be of each IP header.

    Taking the headers from the left i.e., outermost

    Outer most IP header – ESP’s IP header

    Src IP – 11.11.11.1
    Dest IP – 33.33.33.3

    Next IP header – GRE’s IP header

    Src IP – 10.0.0.1
    Dest IP – 23.0.0.3

    Inner most IP header – ICMP’s header

    Src IP – 1.1.1.1
    Dest IP – 3.3.3.3

  28. Kingsley Charles says:

    Ok I this is my last and final post. There are typos in my last three posts. I have mentioned transport mode by mistake instead of the tunnel mode. Also I have put the correct addresses of l11 and l33 in the post.

    Corrections in this post are that I have put correct addresses and the “tunnel mode” as the answer.

    Consider this as my final answer

    Let’s consider we ping from r1

    R1#ping 3.3.3.3 source 1.1.1.1

    1. How many IP headers would be in each packet.

    The format of the packet will be

    IPhdrESP – IPHdrGRE – IPhdrpayload

    Total 3 IP headers

    2. What would the source and destination address be of each IP header.

    Taking the headers from the left i.e., outermost

    Outer most IP header – ESP’s IP header

    Src IP – 11.11.11.1
    Dest IP – 33.33.33.3

    Next IP header – GRE’s IP header

    Src IP – 10.0.0.1
    Dest IP – 23.0.0.3

    Inner most IP header – ICMP’s header

    Src IP – 1.1.1.1
    Dest IP – 3.3.3.3

    3. What order the IP headers would be in (beginning with the outside header).

    From left

    Outside IP header – ESP’s IP header
    Middle IP header – GRE’s IP header
    Inner IP header – Payload’s IP header

    4. Would the IPSec be using transport or tunnel mode.

    Transport mode uses the original IP header and inserts ESP header in between the IP header and Payload.

    Tunnel mode uses a new IP header and inserts ESP in between the new IP header and original IP header.

    With this configuration that is GREoIPSec both when using transport or tunnel mode, the packet format and the number of IP header is same.

    Here we have three IP headers. The outermost/leftmost IP header will have the IP addresses of 11.11.11.1 and 33.33.33.3.
    from the crytpo interface.

    The inner most IP header is the original IP header will have IP addresses of 1.1.1.1 and 3.3.3.3

    Since the packet uses a new IP header and that of the router doing IPSec by definition, it is tunnel mode.

    5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).

    This is known as GREoIPSec. GRE is transported over IPSec, hence we call it GRE over IPSEC – GREoIPSec

  29. Shoeb says:

    My Answers:
    1. Two IP headers – Outside IP header and Actual IP header
    2. Outside GRE/IP header – source: GRE tunnel source, dest: GRE tunnel dest
    Actual IP header – source: host from 3.3.3.0/24 network, dest: host from 1.1.1.0/24 network
    3. GRE/IP header | ESP | GRE header | Actual IP header | Data | ESP Trailer
    4. Transport mode
    5. IPSec over GRE bcoz of the transport mode

    Rgds,
    Shoeb

  30. Cisco'n cie says:

    1. How many IP headers would be in each packet.

    3 IP headers

    2. What would the source and destination address be of each IP header.

    - outside IP HDR SA 11.11.11.1 DA 33.33.33.3 Prot ESP (50)
    - inside ESP-encaps IP HDR SA 10.0.0.1 DA 23.0.0.3 Prot GRE (47)
    - inside GRE-encaps IP HDR SA 1.1.1.1 DA 3.3.3.3 Prot ICMP (1)
    (assuming a ping from 1.1.1.1 to 3.3.3.3)

    3. What order the IP headers would be in (beginning with the outside header).

    As per above
    IP HDR1 — ESP — IP HDR2 — GRE — IP HDR3 — ICMP — ESP trailer

    4. Would the IPSec be using transport or tunnel mode.

    Despite the config says transport, ipsec is actually using tunnel mode since the ipsec peers’ip differ from the GRE endpoints

    5. Would this be called IPSec over GRE, GRE over IPSec, or something else

    As GRE is encapsulated into ESP, that s likely to be called GRE over IPSEC

  31. Jason Beltrame says:

    1. 2 IP Headers

    2. IP2 (inner) 3.3.3.3 1.1.1.1
    IP1 (outer) 10.0.0.3 10.0.0.1

    3. IP1 – IP2

    4. Transport

    5. GRE over IPSEC

  32. halawlaw says:

    1) 2 IP headers exist. 1 is GRE IP and 1 is the IP header.
    2) GRE IP Header Source: 13.0.0.1, Dest: 13.0.0.3
    IP header: Source: 11.11.11.1, Dest: 33.33.33
    3)
    4) Transport
    5) GRE over IPsec

  33. Moustafa Houssami says:

    Hello, here are some answers:
    1- 2 IP Headers
    4- Transport
    5- IPSec Over GRE

    i’ll try to reply on 2 & 3 later on tonight

  34. Hello – Thanks for all the awesome input!

    The answers were added to the post, and a winner was selected. Take a look at the answers as well as who won the 100 tokens for graded labs!

    Thanks again.

  35. Kingsley Charles says:

    Th INE…..

    Love this blog

    With regards
    Kings

 

Leave a Reply

Categories

CCIE Bloggers